Ceh v8 labs module 07 viruses and worms

  • 532 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
532
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
152
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. C EH Lab M a n u a l V ir u s e s a n d W orm s M o d u le 07
  • 2. Module 07 - Viruses and Worms V ir u s e s a n d W o rm s A vims is a sef-replicatingprogram thatproduces its own code by attaching copies of it onto other executable codes. Some viruses affect computers as soon as their codes are executed; others lie dormant until apredetermined logical circumstance is met. I CON KEY £Z7 Valuable information Test your knowledge = Web exercise m Workbook review L a b S c e n a r io A computer virus attaches itself to a program or tile enabling it to spread from one computer to another, leaving infections as it travels. The biggest danger w ith a w orm is its capability to replicate itself 011 your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands o f copies o f itself, creating a huge devastating effect. A blended threat is a more sophisticated attack that bundles some o f the worst aspects o f viruses, worms, Trojan horses and malicious code into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. The attacker would normally serve to transport multiple attacks 111 one payload. Attacker can launch Dos attack 01‫־‬ install a backdoor and maybe even damage a local system 01‫ ־‬network systems. Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the network for any viruses and worms that damage 01‫ ־‬steal the organization’s information. You need to construct viruses and worms and try to inject them 111 a dummy network (virtual machine) and check whether they are detected by antivirus programs 01‫ ־‬able to bypass the network firewall. L a b O b je c t iv e s The objective o f this lab is to make students learn how to create viruses and worms. 111 this lab, you w ill learn how to: ■ Create viruses using tools ■ Create worms using worm generator tool & Tools L a b E n v ir o n m e n t demonstrated in To earn‫ ־‬this out, you need: this lab are available in ■ A computer running Window Server 2012 as host machine D:CEHToolsCEHv8 ■ Window Server 2008, Windows 7 and Windows 8 running 011 virtual Module 07 Viruses machine as guest machine and Worms ■ A web browser w ith Internet access ■ CEH Lab Manual Page 530 Administrative privileges to run tools Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 3. Module 07 - Viruses and Worms L a b D u r a t io n Tune: 30 Minutes O v e r v ie w o f V ir u s e s a n d W o r m s A virus is a self-replicating program that produces its own code by attaching copies o f it onto other executable codes. Some viruses affect computers as soon as their codes are executed: others lie dormant until a predetermined logical circumstance is m et Computer worms are malicious programs that replicate, execute, and spread across network connections independently without human interaction. Most worms are created only to replicate and spread across a network consuming available computing resources. However, some worms carry a payload to damage the host system. = TAS K 1 Overview Lab T asks Recommended labs to assist you 111 creating Viruses and Worms: ■ Creating a virus using the |PS Y 11‫ ־‬Maker tool us ■ Vims analysis using ID A Pro ■ Yinis Analysis using Virus Total ■ Scan for Viruses using Kaspersky Antivirus 2013 ■ Yinis Analysis Using OllyDbg ■ Creating a W orm Using the Internet W orm Maker Tiling L a b A n a ly s is Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. PLEASE T A L K TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS R E LA T ED TO T HI S LAB. CEH Lab Manual Page 531 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 4. Module 07 - Viruses and Worms C r e a t in g a V ir u s U s i n g t h e J P S V ir u s M a k e r T o o l JP S V irus M aker is a tool to create viruses. I f also has afeature to convert a virus into a irorm. I CON KEY 1._ Valuable information s Test your knowledge ‫ :ב‬Web exercise ea Workbook review L a b S c e n a r io 1 1 recent rears there lias been a large growth 111 Internet traffic generated by 1 malware, that is, Internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected 01‫ ־‬during the epidemic stage o f a new worm , when the Internet becomes unusable due to overloaded routers. W liat is less well-known is that there is a background level o f malware traffic at times o f non-epidemic growth and that anyone plugging an unhrewalled machine into the Internet today w ill see a steady stream o f port scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We need to build better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms w ill damage or steal the organization’s information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behavior, whether they are detected by an antivirus and i f they bypass the firewall. L a b O b je c t iv e s H Tools demonstrated in Tlie objective o f tins lab is to make students learn and understand how to make this lab are viruses and worms. available in L a b E n v ir o n m e n t D:CEHToolsCEHv8 Module 07 Viruses To earn‫ ־‬out die lab, you need: and Worms ■ JPS tool located at D:CEH-ToolsCEHv8 Module 07 Viruses and WormsWirus Construction KitsJPS Virus Maker CEH Lab Manual Page 532 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 5. Module 07 - Viruses and Worms ■ A computer running Windows Server 2012 as host machine ■ Windows Server 2008 running on virtual machine as guest machine ‫י‬ Run tins tool on Windows Server 2008 ■ Administrative privileges to run tools L a b D u r a t io n Time: 15 Minutes O v e r v ie w o f V ir u s a n d W o r m s A virus is a self-replicating program diat produces its own code by attaching copies o f it onto odier executable codes. Some vinises affect computers as soon as dieir codes are executed; odiers lie dormant until a predetermined logical circumstance is met. Lab T asks k* TAS K 1 1. Launch your Windows Server 2008 virtual machine. Make a Virus 2. Navigate to Z:CEHv8 Module 07 Viruses and WormsWirus Construction KitsJPS Virus Maker. 3. Launch die JPS Virus Maker tool. Installation is not required for JPS Virus maker. Double-click and launch the jps.exe hie. 4. The JPS (Virus Maker 3.0) window appears. JPS ( Virus I ta k e r 3.0 ) V ir u s O p t i o n s : Note: Take a Snapshot of the virtu al machine before launching the JPS Virus Maker tool. U i Theop n Auto tio , S rtu is a a sc e k d ta p lw y h c e b d fa lta ds rtth y e u n ta e viru w e e rth s s m s h n ve e y te bo o. o ts n CEH Lab Manual Page 533 □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ Disable Registry Disable MsConfig Disable TaskManager Disable Yahoo Disable Media Palyer Disable Internet Explorer Disable Tim e Disable Group Policy Disable Windows Explorer Disable Norton Anti Virus Disable McAfee Anti Virus Disable Note Pad Disable Word Pad DisableWindows Disable DHCP Client Disable Taskbar Disable Start Button Disable MSN Messenger Disable CMD Disable Security Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Screen Saver □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ Hide Services Hide Outlook Express Hide Windows Clock Hide Desktop Icons Hide Al Pioccess in Taskm gr Hide Al Tasks in Taskm gr Hide Run Change Explorer Caption Clear Windows XP Swap Mouse Buttons Remove Folder O ptions Lock Mouse & Keyboard Mute Sound Always CD-ROM Tun O M ff onitor Crazy Mouse Destroy Taskbar Destroy Offlines (YIMessenger) Destroy Protected Strorage Destroy Audio Service Destroy Clipboard Term inate Windows Hide Cursor Auto Startup Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 6. Module 07 - Viruses and Worms FIGURE 1 :JPSV sM k rminw d w .1 iru a e a in o 5. & This creationofa viru ison for k o le g s ly n w d e p rp s s d n m u eth u o e ; o ’t is s is to L o JPS lists die Virus Options; check the options that you want to embed 111 a new virus hie. JPS ( Virus M aker 3.0 ) Virus O p tio n s: □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ m A list ofn msfor ae th viru afte install is e s r s o ninth N m a r hw e a e fte Install d p d w list. ro - o n Disable Registry Disable MsConfig Disable TaskManagei Disable Yahoo Disable Media Palyei Disable Internet Explorer Disable Tim e Disable Group Policy Disable Windows Explorer Disable Norton Anti Vitus Disable McAfee AntiVirus Disable Note Pad Disable Word Pad Disable Windows Disable DHCP Client Disable Taskbar Disable Stait Button Disable MSN Messenger Disable CMD Disable Security Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Screen Saver O Restart □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ □ Hide Services Hide Outlook Express Hide Windows Clock Hide Desktop Icons Hide All Proccess in Taskm gt Hide All Tasks in Taskm gr Hide Run Change Explore! Caption Clear Windows XP Swap Mouse Buttons Remove Folder O ptions Lock Mouse 1 Keyboard Mute Sound Allways CD-ROM TurnOff M onitor Crazy Mouse Destroy Taskbar Destroy Offlines (YIMessenget) Destroy Protected Strorage Destroy Audio Service Destroy Clipboard Term inateWindows Hide Cursor Auto Startup OLogOff OTurn Off Name A fter Install: |Rundll32 About || J OHibrinate ONone Se rv e r Name: |Send er.exe Cieate Virus* ~~| |» | JPS Virus Maker 3.0 FIGURE 1 :JPSV sM k rminw d ww o tio ss lete .2 iru a e a in o ith p n e c d 6. Select one o f die radio buttons to specify when die virus should start attacking die system after creation. O Restart O L o g U ff O Turn Off Name After Install: Rundll32 About J O Hibrinate O None Server Name: Sender.exe Create Virus! JP S Virus Maker 3.0 J FIGURE 1 :JPSV sM k rminw d ww R s rts lete .3 iru a e a in o ith e ta e c d m Alist ofserver n ms ae isp s n inth Server re e t e N m d p d w lis a e ro - o n t. Select a ys rve n m. n e rae 7. Select the name o f the service you want to make virus behave like from die Name after Install drop-down list. FIGURE 1 :JPSV sM k rminw d ww d N m a rIn llo tio .4 iru a e a in o ith ie a e fte sta p n Select a server name for die virus from die Server Name drop-down list. CEH Lab Manual Page 534 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 7. Module 07 - Viruses and Worms O Restart O Log Off OTurnDff Name After Install: Rundll32 Don't fo e to rg t c a g d s ttin sfo h n e ie e g r everyn wviru c a n e s re tio . O e ise, b d fa lt,it th rw y e u ta e th s m n m a a ks e a e a e s n e rlierv s. a iru O Hibrinate O None Server Name: Svchost.exe ■Svchost.exe Q ‫־‬ I Kernel32.exe ■ I spo o lsv .e x e ■ ALG.EXE svchost.exe■ Create Virus! JPS Virus Maker 3.0 FIGURE 1 :JPSV sM k rminw d ww S rv rN m o tio .5 im a e a in o ith e e a e p n 9. Now, before clicking on Create Virus! change setting and vinis options by clicking die icon. Create Virus! JPS Virus Maker 3.0 FIGURE 1 :JPSV sM k rminw d ww S ttin so tio .6 iru a e a in o ith e g p n 10. Here you see more options for the vims. Check die options and provide related information 111 die respective text held. m TAS K 2 ‫ נ‬PS ( Virus M aker 3.0 ) Virus O p tio n s: Make a Worm □ Change XP Password: J p @ sswQ (d □ Change Com puter Name: ‫ ן‬Test □ Change IE Home Page j w w w !uggyboy com □ Close CustomWindow: [Yahoo1Me ■ g r ;n e □ Disable Custom Service :■Alerter □ Disable Custom Process : ypaget.exe [ □ Open CustomWebsite : | -,-!ey blogta c :‫חי‬ ‫ו‬ □ Run Custom Command: | □ Enable Convert to Worm ( auto copy to path's) lU a Youc ns le a y s a e ct n iconfro th c a g ico m e hn e n o tio s. A ewiconc nb p n n a e a d da a fro th s o d e p rt m o e n th list. e [!□I Sec'‫.־‬ | Copy After : | 1 Worm Name : Change Ic o n : OTransparnet OLove Icon OFlash Icon 1 OFlash Icon 2 OFont Icon 3 ODoc Icon OPDF Icon OIPG Icon OBMP Icon OHelp Icon O EXE Icon BAT Icon Setup 1 Icon Setup2 Icon ZIP Icon O O O O JPS Virus Maker 3.0 FIGURE 1 :JPS V sM k rS ttin so tio .7 iru a e e g p n 11. You can change Windows XP password. IE home page, close custom window, disable a particular custom service, etc. 12. You can even allow the virus to convert to a worm. To do diis, check die Enable Convert to Worm checkbox and provide a Worm Name. CEH Lab Manual Page 535 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 8. Module 07 - Viruses and Worms 13. For die worm to self-replicate after a particular time period, specify die time (111 seconds) 111 die Copy after held. 14. You can also change the virus icon. Select die type o f icon you want to view for die created vims by selecting die radio button under die Change Icon section. IPS ( Virus M aker 3.0 ) M k s retoc e k ae u hc all th o tio sa ds ttin s ep n n e g b fo click go C a e re in n re te V s! iru V ir u s O p t i o n s : □ Change XP Password : | □ Change Com puter Name |jP S □ Change IE Home Page |www ^ - □ Close CustomWindow : [Yahoo' Me • n e • gr □ Disable Custom Seivice : J Alerter □ Disable Custom Process : I □ Open CustomWebsite : | .. ,» . c< □ Run Custom Command: | □ Enable Convert toWorm ( auto copy to path's) Copy After : Worm Name : |fedevi| OTransparnet OLove Icon OFlash Icon 1 OFlash Icon 2 OFont Icon 3 O Doc Icon O PDF Icon JPG Icon O BMP Icon Help Icon O O ORestart OLogOff OTurn Off Name After Install: Rundl32 Fe tu s a re C a g XP P ssw rd hn e a o C a g C m u rN m h n e o p te a e C a g IE H m P g hn e o e a e C seC s mW d w lo u to in o s D leC s mS isab u to ervice D leP ce isab ro ss O e C s mW b p n u to e site R nC s mC m a d u u to o mn En le C n ToW rm ab o vert o -A toC p ServerT u oy o ActivePadiWithC s m u to N m &T e a e im C a g C s mIconFor h n e u to yo r c a dVirus (1 u re te 5 Icon s) f! | I Sec's O EXE Icon BAT Icon Setup 1 Icon Setup2 Icon ZIP Icon O O O O OHibrinate ONone Server Name: Svchost.exe I JPS Virus Maker 3.0 _ FIGURE 1 :JPSV u M k rminw d ww O tio s .8 k s a e a in o ith p n 15. A fter completing your selection o f options, click Create Virus! FIGURE 1 :JPSV u Mk rM inw d ww C a V u ! B tto .9 k s a e a in o ith re te k s u n 16. A pop-up window with the message Server Created Successfully appears. Click OK. JPS ( Virus Maker 3.0 ) FIGURE 1 0JPSV u Mk rS rv rC a ds c e s llymsa e .1: k s a e e e re te uc s fu es g CEH Lab Manual Page 536 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 9. Module 07 - Viruses and Worms 17. The newly created virus (server) is placed automatically 111 the same folder as jps.exe but w ith name Svchost.exe. 18. N ow pack tins virus w ith a binder or virus packager and send it to the victim machine. ENJOY! L a b A n a ly s is Document all die tiles, created viruses, and worms 111 a separate location. PLEASE T A L K TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELA T ED TO T H IS LAB. T o o l/ U t ilit y In fo rm a tio n C o lle cte d /O b je ctive s Achieved T o m ake V iru s options are used: JPS V iru s M a ke r Tool ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Disable Yahoo Disable Internet Explorer Disable N orton Antivirus Disable McAfree Antivirus Disable Taskbar Disable Security Restore Disable Control Panel Hide Windows Clock Hide A ll Tasks 111 Task.mgr Change Explorer Caption Destroy Taskbar Destroy Offlines (YIMessenger) Destroy Audio Services Terminate Windows A uto Semp Q u e s t io n s 1. 2. CEH Lab Manual Page 537 Infect a virtual macliine with the created vkuses and evaluate the behavior o f die virtual macliine. Examine whedier the created viruses are detected or blocked by any antivirus programs or antispyware. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 10. Module 07 - Viruses and Worms In te rn e t C onnectio n R equired □ Yes 0 No P la tfo rm Supported 0 !Labs CEH Lab Manual Page 538 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 11. Module 07 - Viruses and Worms V ir u s A n a l y s i s U s i n g IDA P r o Computer n orms are malicious programs that replicate, execute, and spread themselves across netirork connections independently, nithont human interaction. ■ on c k ey ‫ ־ ־‬L a b S c e n a r io / Valuable information S Test your knowledge ________ £_____ flB Web exercise m Workbook review Virus, worms, or Trojans can erase your disk, send your credit card numbers and passwords to a stranger, 01‫ ־‬let others use your computer for illegal purposes like denial o l service attacks. Hacker mercenaries view Instant Messaging clients as their personal banks because o f the ease by which they can access your computer via the publicly open and interpretable standards. They unleash a Trojan horse, virus, 01‫ ־‬worm , as well as gather your personal and confidential information. Since you are an expert ethical hacker and penetration tester, the IT director instructs you to test the network for any viruses and worms that can damage 01‫ ־‬steal the organization’s inform ation. You need to construct viruses and worms, try to inject them 111 a dummy network (virtual machine), and check their behavior, whether they are detected by any antivirus programs 01‫ ־‬bypass the firewall o f an organization. L a b O b je c t iv e s The objective of tins lab is to make students learn and understand how to make vinises and worms to test the organization’s firewall and antivirus programs. IS 7 Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 07 Viruses and Worms L a b E n v ir o n m e n t To earn* out die lab, you need: ■ IDA Pro located at D:CEH-T00lsCEHv8 Module 07 Viruses and WormsMalware Analysis ToolsIDA Pro ■ A computer running Windows Server 2012 as host machine ■ Windows Server 2008 running 011 virtual machine as guest machine ■ Run tins tool 011 Windows Server 2008 ■ You can also download the latest version o f IDA Pro from the link http: / / www.hex-ravs.com / products / ida / lndex.shtml CEH Lab Manual Page 539 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 12. Module 07 - Viruses and Worms ■ Administrative privileges to run tools L a b D u r a t io n Time: 15 Minutes O v e r v ie w o f V ir u s a n d W o r m s Computer worms are m alicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm payloads to install backdoors in infected com puters, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks. Lab T asks TAS K 1 Go to Windows Server 2008 Virtual Machine. 2. Install IDA Pro, which is located at D:CEH-ToolsCEHv8 Module 07 Viruses and WormsMalware Analysis ToolsIDA Pro. 3. IDA Pro 1. Open IDA Pro, and click Run 111 die Open File-Security Warning dialog box. Open File - S e c u rity W arning The publisher could not be verified Are you sure you want to run this software? Name: .. .rsAdministratorPesktopidademo63_windows.exe Publisher: Unknown Publisher Type: Application m Youh vetoa re th a ge e From: C: '!]UsersAdministrator desktop 'jdademoo 3_windo... Licen a re mn b fo se g e e t e re p c e in fu ero th ro e d g rth n is too l Run Cancel I ? Always ask before opening this file This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run~ FIGURE 2 :IDAProA o t. .1 bu 4. CEH Lab Manual Page 540 Click Next to continue die installation. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 13. Module 07 - Viruses and Worms Setup - ID A Demo v6_S IM - xj W elcom e to th e ID A Demo v6.3 Setup Wi zard This will install IDA Demo v6.3 on your computer. It is recommended that you dose all other applications before continuing. Click Next to continue, or Cancel to exit Setup. ‫ ט‬R a th Lice se ed e n A re m n carefu b fo g e et lly e re ac p g c e tin . Dem o Version 6.3 Hex-Rays 2012 Cancel FIGURE 2 :IDAProS tu .2 ep 5. Select the I accept the agreement radio button for the ID A Pro license agreement. 6. Click Next. ^ Setup - IDA Demo v63 License Agreement Please read the following important information before continuing. Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation. S ' R lo dd in u file e a ie p t T is c m a dre a sth h o mn lo d e s m in u filein th a e pt to e d ta a e IDA trie to a bs . s re ina m c in rm tio ta s u h fo a n a p s ib inth d ta a e s o s le e a b s . All th n ms c m e ts e a e , o mn , s g e ta nin rm tio e mn tio fo a n a dsim rwill b re in d n ila e ta e . IDA License Agreement SPECIAL DEMO VERSION LICENSE TERMS This demo version of IDA is intended to demonstrate the capabilities of the foil version of IDA whose license terms are described hereafter. The demo version of IDA may not, under any circumstances, be used in a commercial project. The IDA computer programs, hereafter described as 'the software’ are licensed, not sold, to you by Hex-Rays SA pursuant to the z (• I accept the agreement C I do not accept the agreement < Back Next > Cancel FIGURE 2 :IDAProlic ne .3 e s. 7. CEH Lab Manual Page 541 Keep die destination location default, and click Next. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 14. Module 07 - Viruses and Worms a A db a p in d re k o t T is c m a da d a h o mn d s b a p in a th c rre t re k o t t e u n a d s . If a in ctio d re s n stru n e is a d a d s , a x ts t iis d re s n in ctio b a p in is stru n re k o t c a d Or e e IDA re te . ls , o toc a ah rd a ffers re te a w re b a p in a da w th re k o t, n llo s e u e toed b a p in sr it re k o t s ttin s e g. FIGURE 2 : IDAProd s a nfo e 4 e tin tio ld r 8. Check the Create a desktop icon check box, and click Next. ^ Setup - IDA Demo v6 3 JH 3 Select Additional Tasks Which additional tasks should be performed? Select the additional tasks you would like Setup to perform while installing IDA Demo v6.3, then dick Next. Additional icons: HT w d w race in o In tillsw d w y uc n in o , o a views m in rm tio o e fo a n re te toall tra e e e ts la d cd vn . T etra in e e tsa th h c g v n re e in rm ns v dd rin fo atio a e u g th e e u nofap g m e x c tio ro ra . D ifferent ty eoftra e p c e e tsa a a b : v n re v ila le in ctio tra ge e ts, stru n cin v n fu ctio tra in e e tsa d n n c g vn n w re d riteo rite, a /w r e e u ntra in e e ts x c tio c g v n . W Create a desktop icon < Back j Next > Cancel FIGURE 3 :C a gIDAPros o u .5 re tin h rtc t 9. CEH Lab Manual Page 542 The Ready to Install window appears; click Install. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 15. Module 07 - Viruses and Worms Setup ‫־‬ Ready to Install Add execution trace T is c m a da d a h o mn d s n e e u ntra etoth x c tio c e cu ta d s . rren d re s Setup is now ready to begin installing IDA Demo v6.3 on your computer. Click Install to continue with the installation, or dick Back if you want to review or change any settings. ‫פ־‬ Destination location: C: ,'Program Files (x86)IDA Demo 6.3 Additional tasks: Additional icons: Create a desktop icon Lj < Back LJ In structio tra in n cg T is c m a ds rts h o mn ta in ctio tra in . Youc n stru n c g a th nu eall d d b g e e s ie e u g r c m a d a u u l: th o mn s s s a e d b g e will s v all th e u gr ae e m d dre is rv lu sfo o ifie g te a e r e c in ctio . W eny u a h stru n h o clicko a in ctio tra e n n stru n c e n inth tra ew d w ve t e c in o , IDA d p y th is la s e c rre p n in re is r o s o d g g te v lu sp ce in th a e re d g e e e u nofth x c tio is in ctio . In th 'R lt' stru n e esu co m ofth T lu n e race w d w y uc na os e in o , o a ls e w ichre is rsw re h g te e m d db th o ifie y is in ctio . stru n Install Cancel FIGURE 2 :IDAProin ta 6 s ll 10. Click Finish. . Setup - IDA Demo v6 3 10* C om pleting th e ID A Demo v6.3 Setup Wi zard Setup has finished installing IDA Demo v6.3 on your computer. The application may be launched by selecting the installed icons. Click Finish to exit Setup. R Launch IDA Demo Dem o Version 6.3 I Hex-Rays 2012 Finish FIGURE 2 :IDAProc mle in ta tio .7 o p te s lla n 11. The IDA License window appears. Click I Agree. CEH Lab Manual Page 543 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 16. Module 07 - Viruses and Worms IDA License Agreement T eco fig ra nfile h n u tio s a s a h dinth re e rc e e IDAEXE d cto In th . ire ry. e co fig ratio files, y uc n n u n o a u eC C +s le s , + ty c m e tsa din d file . o mn n clu e s If n fileis fo n , IDA o ud u e d fa ltv lu s ss e u a e. SPECIAL DEMO VBISION LICENSE TERMS This dem version of IDA is intended to demonstrate the capabilities o of the full version of IDA whose license terms are described hereafter. The dem version of IDA may not, under any circumstances, o be used in a com ercial project. m The IDA computer programs, hereafter described as 'the software" are licensed, not sold, to you by Hex-Rays SA pursuant to the terms and conditions of this Agreement. Hex-Rays SA reserves any right not expressly granted to you. You own the m edia on which the software is delivered but Hex-Rays SA retains ownership of al copies of the software itself. The software is protected by copyright law. The software is licensed on a "per user" basis. Each copy of the software can only be used by a single user at a tim This user may e. instal the software on his office workstation, personal laptop and home com puter, provided that no other user uses the software on those computers. This license also allows you to Make as many copies of the installation m edia as you need for backup or installation purposes. Reverse-engineer the software. Transfer the software and all rights under this license to an other party together with a copy of this license and all material, written or electronic, accompanying the software, provided that the other party reads and accepts the terms and conditions of this license. You lose the right to use the software and all other rights under this license when transferring the software. Restrictions // C m ilea IDC sc t. o p n rip // T ein u s o ldn t h p t hu o co tainfu c n th ta n n tio s a re // c rre d e e u gu n y x c tin o e is th b h vio of th rw e e e a r th re la e e p cd // fu c n isu d fin d n tio s n e e . // in u -if isfile !=0 pt , th nth isd n m offile e is ie a e toc m ile op // o e is it th rw e h ldth te ttoc m ile o e x op // re rn : 0-o , tu s k o e is it re rn a th rw e tu s n e rms a e rro e s g . strin C p (stri11g g om ileEx in u lo gisfile); p t, n You may not distribute copies of the software to another party or electronically transfer the software from one computer to another if one computer belongs to another party. You may not modify, adapt, translate, rent, lease, resell, distribute, rr rrm rW xtm 1/;»hva • !r r cK»caiH1 n Avlc irvn c ft >r »nr *rtv rvart n A A< / I Agree I Disagree | FIGURE 2 :IDAProL e s ac p . .8 ic n e c e ts 12. Click die New button in die Welcome window. ID A : Quick s ta rt New I Disassemble a new file Go | Work on your own f t // C n e ie c mc : o v n n e a ro Previous | Load the old disassembly # efin C m ile(file) d e o p C p (file, 1 om ileEx ) W Display at startup FIGURE 2 :IDAProW lc m w d w .9 e o e in o . 13. A file browse window appears; select Z:CEHv8 Module 07 Viruses and WormsVirusesKlez Virus Livelface.exe and click Open. CEH Lab Manual Page 544 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 17. Module 07 - Viruses and Worms 3‫־‬ ■ _j?rr 0 ‫־‬D9n« ‫־־‬ ‫״‬ Function tracing T is c m a ds rts h o mn ta fu ctio tra in . Youc n n n cg a th nu eall d b g e e s e u gr c m a d a u u l: th o mn s s s a e d b g e will s v all e u gr ae a d s e w e acall toa d re s s h re fu ctio o are rnfro a n n r tu m fu ctio o c re . n n cu d |»| :aarod'iec | . | tvp. _ ^ f ^ 2 i 0U12S0_=ieFod£_ 2 -;?.:):3:0;^^ Apsfcatisr •V 6 ZQ 9:52PM Apdc335r 2 ■Z 3 ^:3/2003 1:0 A A p 2 M p licatio n 20031 :3 ‫ ...׳, 2/־‬Apdraiior 0 6 7 Povari* Lr*3 U Desktop jil Dqcutc-C P « ‫.״‬ g} k c ut: Qf RecentlyC‫־‬en5ed P S&atch» I I PiMc S l Add/Edit an enum Action name: AddEnum Action name: EditEnum These commands allow you t define o and t e i an enum o dt t p . You need t ye o seiy pcf: FIGURE 2 0IDAProfileb wew d w .1 : ro s in o . 14. The Load a new file window appears. Keep die default settings and click OK ^ Load a new file Load file Z:CEHv8 Module 07 Viruses and WormsV1rusesV0ez Virus Live!face.exe as Portable executable for 80386 (PE) [pe.ldw] Processor type - name of enum - its serial number (1 ,2 .. .) representation of enum members B Intel 80x86 processors: metapc Analysis Loading segment 10x00000000 W Enabled Loading offset |0‫ג‬ W Indicator enabled Options W Create segments Load resources 1 Rename DLL entries ✓ Kernel options 2 P Manual load F Rll segment gaps 17 Make imports segment Processor options V Create FLAT group 1 DLL directory |C:W ndows OK Cancel Help FIGURE 2 1L a an wfilew d w .1 : o d e in o . 15. I f any warning window prompts appear, click OK. CEH Lab Manual Page 545 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 18. Module 07 - Viruses and Worms 16. The Please confirm window appears; read die instructions carefully and click Yes. m Selectap ro riate pp o tio sa p ry u p n s e or re u mn q ire e t IDA-View has now a new mode: proximity view. This mode allows you to browse the interrelations between functions and data items. When inside a function, press to toggle the proximity viewer and '+ ' to zoom back into a function. Do you want to switch to proximity view now? I‫ ־־‬Don't display this message again FIGURE 2 2C n a nw a . .1 : o firmtio iz rd 17. The final window appears after analysis. File Edt &TMP o TEMP: r Sp ecifiesth d r)' e irecto w e th te p ra file h re e m o ry s will b c a d e re te . Jjmp Search View Debuacer Options Windows Help ^ Hill ‫-■״י‬II*]*a^ »|»|>a ||g|g|Mrii *f + X|ll ►OO F W » *f dlfrlrf Ija ir r III hex View-A J j [a] Structures l ‫ש‬ =ajrrs j gf] Imports □ 1 m Exports ‫ ם‬I Finction rone 71 sub_^0:0C0 3 sb09 u<1 _ 18 3 sb024 u_ 18 « 3 su .■ ():^ b • 3 sbOf ujI U A 71 StartAddress T j tub_0:74*‫־‬ B 3 sb0■ u_ 1 * 17 3 sb<C u-0 8 _: 8 7 ‫־‬ 1 ub.-W ietl 3 sb 0t u_ ; 9 <8 3 tb«1IE u_0A 3 sb O2 u_ * <0 7 sub_40220C 3 ‫־‬b 03 u_ 2: <9 i t '‫ ,־‬MltM'i m 100.03% <4193,30 | (377,171:1 |300C73I2 0C4073Z2: WinMain a A drea /w tra e d d rite c T is c m a da d a h o mn d s re /w tra etoth ad rite c e cu ta d s . rren d re s Eachtim th g n e e ive a d s will b a c s e in d re s e c es d re do w m d , th a r rite o e e d b g e will a datra e e u gr d c e n toth T w d w ve t e race in o CEH Lab Manual Page 546 Compiling f i l e 'C:Fr3grem F ill :3€)MDA Eemo S. 3 id c 9 n le ai. id c ’ Executing runc-lar. ' OaLo=a' . . . IDA i s a n a ly s in g th e in p u t r i l e . . . You may s t a r t to e x p lo re th e in p u t f i l e r ig h t !Pawn FIGURE 2 3IDAProw d wa ra a s . .1 : in o fte nlyis 18. Click View ‫ ^־־‬Graphs ‫ >־־‬Flow Chart from die menu bar. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 19. Module 07 - Viruses and Worms File Edt Jurro Sea‫±<־‬ Deougger Opliors Windows Help Open stbvtews Ill f B C a a n et re te lig mn d irective A ctionn m: M k a e ae A n et lig m n T is c m a da w y u h o mn llo s o toc a a a n e t re te n lig mn d irective. ‫| ב‬r® debugger ? r FuncfoncaDs F ll »J | fc | ^ ] fl) ^ ^ Alt+F9 Database snapshot manager... J mEprs xo t Xrefs from CtH4-Shift+T ct!1 +5pace Print nterral flags F =‫ י‬rtoe Ctri+NuT1pad+- •fr U TiO O C sub_4018«l sub_*018F9 9ub_401A:E | | §1 Imports .S i User *refs * a r t. . Reiert sa‫־‬pt3 jp] Pmt segment registers ‫ן‬ CtH4F12 1 Xrefisto ‫אג‬ Output ivirdcw ,« Graph Cvervew CtH-lNunpodi ■ f ttoeal 7 sb1C 1uj0‫2 ־‬ E «ub_4032CC 3 sul_402319 3*. unr*oeal 3 0 s i X l It ---------------- 3 ‫־‬ Cacuator. . Ful screen Flticoot rame 3 SUbj-OlOOO 3 Sllb_401198 3 sub_4012S4 3 5ub_«013A9 3 sb03 u_ 1A 4F 7 StartAddrcss 1 J sub_017»« ‫־‬ 3 sub_<017^ 3 *ub_4018C8 3 ‫ו‬k‫*׳׳־/• ־‬ ‫־‬oofears Q Functions vwndow S ­ X Occfc hidden o'co Seuc hdden item s SUb_‫־‬ «O26‫־‬ « «*_40680‫ל‬ 7 5ub_020*‫©■־‬ ] 7 Subj02‫־‬C38 ] 3 *uh_40»00 7 sub_402D72 ] 7 Sb0D 1u_ 2C 4 E 2 1 sub_-i02EE0 « [ 4 LOO.OO»[T4i9C.-‫:- ־‬j :1 14,25) OOCO’ 312 C0 < 0 3 1 2 ‫ : ־‬M ir.M air.(I, !Oltpu: window E x e c u tin g fu n c tio n ,m a in *_ _ Con pilin a f i l e 'C :Eroara2! F ile s (x£6)IEA Demo S.3 id c cn lo ad .id c' Executing fur-etian ,OnLoad ‫. . י‬ IDA i a an alysing the in put f i l e . . . Toa may 3 - a r t t o e x p lo re one la p u c r i l e r ig h t now. IDC | D isplay flow c h art c f the cuirene fu n ction FIGURE 2 4IDAProflo c a mn . .1 : w h rt e u 19. A Graph window appears w ith die flow; zoom to view clearly. Edit Jump Search Debugger Option; JD Jx j III Rk View Zoom Move Hep Function name ca Z o intoh vea om a b tte viewofth d ta e r e e ils no v Ha (xer! !xen 7 ] sub_H01 0‫כ‬ ‫כ‬ 71 sub_401196 sub_401284 71 Sub_H013^9 SUb_4013R 71 StartAdcress 3 3 ■ ‫־׳י‬ 7] 7] 71 3 71 71 3 7] 71 3 71 71 3 3 3 3 sub_4017-e sub_4017^E sub_01303 SUb_<DlMl sub_4013B 6ub_401A IE SUb_401E02 sub 40220C eub_402319 5ub_H0^)*« sub 40268‫כ‬ sub_40234D su b jo acs sub 402DCD «ub_402D72 s u b je z x t sub 02EED © 6e. tp, -f ] j preciu ; im ionteqfiaM e -c a 2 JL enp |jz byte.41nni4, P ehort 1c.4d74;d| 0 ‫.־ ד‬ ‫ה‬ t 1 »0c_«»7«* pwft Wl»o [«ftp*v*r_8!, 0 l«©p*v*r_4|, 0 04m [«tp*vrv1co»t4nr4M«] , ‫ < ן‬p*-3«‫־‬v1»3Urtr4bH.lj8«v ® v«««»»], 0ff**t 5*r‫־‬ v1c«Mil# •w 1 lp9»rvlo«3trtTt01• («&p*?«rvl «034.‫׳‬r<T 1 .1pflccvtocfr0 effort lot_4l7‫ ־‬r» ab * ©], » d«: 3t1rt3erv1osctrIDUp*toherA J=c E x e c u tin g ru n c t C o g p ilin g f i l e E x e c u tin g fu n c t i s a n a ly s ir. 57 !4% (0 0) 8 nodes, 2£ edge segments, 0 crossirgs You may S t a r t t u 1nx l.—. x^uliil j..l).1utu.--. i m i j p .u .n IDC id l e Dcwn FIGURE 2 5 IDA Pro flow chart .1 : CEH Lab Manual Page 547 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 20. Module 07 - Viruses and Worms ‫ ט‬Z o intoh v a om ae b tte viewofth d ta e r e e ils FIGURE Z 6 IDAProz o flo c a 1: o m w h rt. [ 3 W nG raph 32 jFte M ew 2001 ~ 1 1 ‫ ם‬x| Graph at _WnMain«>16 How Hejp ___________________________________ [|a|1K 3. % * ♦ IIIR* © ® § * ‫*י‬ 5 byte_4 10004, 0 sh ort loc_407420 3 r tru e arp jz push c a ll test pop dword_4938F8, 0 sh ort loc_407449 jn z end and lea rov push rov c a ll o ffs e t byte_4100D4; lpFileName sub_4CJ5B0F eax , eax ecx sh ort loc_407457 [et)p+-var_8l , 0 [ebp+-var_4J, 0 eax, [ebp+Ser v ice S ta rtT a b le ] [ebp^ ServiceStartT able.lp ServiceN am e], o ffs e t ServiceNare eax ; lp Serv iceSta rtT a b le [ebp+ServiceStartTable .lp S e r v ic e P r o c ], o ffs e t loc_4073C3 d s :S ta r tS e r v ‫־‬ iceC trlD ‫־‬ ispatcherA |ca11 sub_4tn2F2| nor leave retn J eax, eax lOh if1 __ A 85.71% (-153,-240) 8 nodes, 28 edge segments, 0 crossings FIGURE 2 7 ED Proz o flo c a 1 : A o m w h rt 20. Click View ‫ ^־־‬Graphs ‫ ^־־‬Function Calls from die menu bar. CEH Lab Manual Page 548 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 21. Module 07 - Viruses and Worms tJ'fm X I ‫ש‬ ► III Flow chart F I2 ► ✓ Print flow c!a‫׳‬t labels ~odbdrs r | J p ] Camahr. . H i screen Function rame 00 100 sub ] 7 _» sub 1198 3 sub _ 4012£4 SUb_*013A9 sub_*013FA 3 StartAddress 7 1 , J Q 2 1 sub ] 7 _*017^ 2 1 sub_*01 8*l ]7 sub_<018F9 3 £ 5ub_-H)lA ] 7 sub_<01EC2 ]7 ib_40:?cr« 3 9ub ]7 _*0 3 9 21 5ub ] 7 _ 4 ‫־‬ 026 C 1_ 0 0 h<?fiP « 2 1 F ll | [f+] Expoits 1 Xrefisfran Graoh Cvervev> 1 User xrefe :Kart.. Alt+F9 Database snapshot manager... Ctri+Shift+T Ip] Pnnt segment registers ‫ן‬ ] | 13jJ Impotls Output tvird«w Recent sarpts 2 1 I s b 41» u_ 07 5 b- 0 8e u_ 11c r Print nterral flags = ftoe ctri+5pace F Ctr1+Num pad+Ct7H4J1m pod-f* Hweal v}, urmoean ^ Dccfc Hddcn o‫־‬co Seuc hdden item s 7 ]2 sub _‫־‬K( 28‫©־‬ sub_<02C3B 2 tub_4O3D0D 3 sub _‫־‬K)2D72 Sub 71_ 02DCE ‫»־‬ ub* ] 7 _‫־‬s0XE0 2 1 .1 1_____ L e7of 2 8 in 5 v no wc w S Empty input file The i p tfl d e n t n u ie o s ' c n a nany i s r c i n oti ntutos 01‫ ־‬a a ie t e ei d t . .. h r s nothing t d s s e b e o iasml. Some fl f r a s ie o m t allowt e s m t o h iain when t e fl i n t h ie s o empty b t i d e n t u t os' c n a nany h n t oti tig o d s s e b e For iasml. example, COFF/OMF/EXE f r a s could c n a na omt oti fl header whichj s ie ut d c a e t a t e ea e e l r s ht h r r no e e u a l s c i n x c t b e etos i t e fl. n h ie J LOO.00%[ (419C, - 6 ‫ ) ל‬i r s d |000073Ei !00407112: U d fa in b .z .z t z > ‫־‬ E x e c u tin g fu n c tio n ,m a in • . .. C o n p ilin a f i l e ‫ י‬C :E ro a ra n F ile s (x £ 6 )IE & Dem3 6 .3 id c o n lo a d . id c ' I x a c u tin g fu r.e tia n ,O n lo a d •.-IDA i s a n a ly s in g ta e in p u t f i l e . . . Tou may 3 - a r t t o e x p lo re one in p u t; r i l e r ig h t now. 10C |‫־ ־‬ D isplay graph of fu c c tio n c a lls FIGURE 2 8IDAProF n tio c lkmn . .1 : u c n a eu 21. A qindow showing call flow appears; zoom to have a better view. FIGURE 2 9IDAProc llflo offae .1 : a w c. CEH Lab Manual Page 549 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 22. Module 07 - Viruses and Worms H Emptr input file The i p t fl d e n t n u ie o s ' c n a nany i s r c i n oti ntutos o d t .ie t e ei r a a .. h r s nothing t d s s e b e o iasml. FIGURE 2 0IDAProc llflo offa ew z o . .2 : a w c ith o m 22. Click Windows ‫ ^־־‬Hex View-A. Some fl f r a s ie o m t IVID ZCIteMu 0Vuead omVuclc VuLeoccc A : Cv o l 7it ssnWr s 1 ssKz irs iv1 c.x de r f allow t es m t o h iain File Edt Jump Sea‫׳‬d* Vtew De9ugger Opbors I Windows I Help when t e fl i n t h ie s o L‫־‬l«1 X J ► O Q | debugger * to 1 *111 * j] % ] & 1‫ ־‬I f ® I Load desktop... + ^ empty b t i d e n t u t os' r P Sjve decctop. . III ___________________________ i £ Delete desktop... c n a nany h n t oti tig o 7 | Functions wooov» DIDVw Rstdkp ? Ai ! e ee et so *—□ 10 E‫־‬v*ns j 51 Import ‫כ‬ d s s e b e For iasml. Reset hidden messages. . 7 ] Sub_‫־‬H)10C0 example, 7 1 sub_011‫־־‬S8 © Windows list COFF/OMF/EXE 2 sub_4012S4 Next vlndow 7 ‫״‬ Previous window Shift+F6 f r a s could c n a na [Z]] SUb_013‫־־‬A9 omt oti sub_^013FA ] Ctose windo/v Alt‫־‬H 3 = 71 StartAddress fl header whichj s ie ut Focus com and Ine m ■'‫ ־‬SUb_4017^J d c a e t a t e ea e e l r s ht h r r 3 sub_4017^E jT] Functions window Ait41 6ub_^018C8 no e e u a l s c i n x c t b e etos ! 1 IDA WewA At42 3 SUb_40JB41 3 sub_^018E9 i t efl. n h ie 7 ] 6ub_401A£ 7 ] sub_-0£C2 3 7] 3 7) 7] 3 3 7] sub_40220C 5ub_402319 sub_<0*<6 sub_<0»80 3ub_*028‫©־‬ sub_402C» sub_403XC 5ab_-K)2D72 I Al Structure3 At-K) Export 0 J [I♦] Export Alt+ 5 5H !‫ ״‬ports f Alt44 Enums ]01 ‫־‬TH3 - ? Alt 47 H sub_402xt V n sub.OPFFO 1L 100.00* [ (4190,-76) | (1S2, 21) |0000?3£^ -04073E2: WmMslc(x, x, x,x ' Line 7 of 258 [T] Outpu: wncov.‫־‬ --A'-‫ .-י‬TTBK i 'BUU ' E x e c u tin g f r a c t io n •m a in * ... Compi1in g f i l e 'C rv lro g ra a Fil• ■ (xSCJVICA Dema 6.3ideonload idc ix ‫ ־‬cu tia g fur.ctisr. ,Onl-o&d1- -IDA i s a n a ly s in g tn e input- r i l e . . . You may s t a r t to e x p lo re cfce in p u t; f i l e r ig h t a! rc r o ‫ב‬lie . ~ n — 1 _zj Down FIGURE 2 1 IDAProH xV w Amn . 2: e ie - e u 23. The tollowmg is a window showing Hex View-A. CEH Lab Manual Page 550 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 23. Module 07 - Viruses and Worms ZiC£Mv8 f‫־‬Kxkj*e 07 /irusndiH l WonmV)nn»<f*Kk^ V 5» Lvc!ld tc.cxc 1ru Tile Edit Junp Ssaci 'ftew Debugger II1 slII•‫י י‬ • ‫♦׳‬ ^ Opboro Windows help * I4 |j|g 0 | Functions windovr d!DAMe>v-A - cton na‫־‬ ne sjb_‫־‬KD10X sjb_40113S sub_401234 SJb_4013A9 sub_4013FA StartAodress SJb_‫־‬ W17<* sjb_40174E SJb.'WlSDfi sjb 401841 cub_4018E5 SJb ■401A 1E SJb_401K)2 eub_4022X SJb_40231‫־‬ S sub_40264e Cjb_40263C SJb 40280 SJb_402C3C Cjb_402D00 SJb.402C72 sjL 402CCE sjb 402EC 1 004073B2 8C4073B2 5G4073C2 9C4073D2 464073E2 8P4073F? 0G4O74O2 8P40741? 9G407422 flP40743? 9G407 442 0P4O745? 00407462 0 0 4 0 /4 /2 00407482 0 0 4 0 /4 y 2 00407*102 004074B2 00407MC2 0 0 4 0 /4 0 2 0O4O74E2 004074F2 00407502 00407512 0040752? 00407532 - I 0040754? 00407552 H 00 93 00 00 6B 54 D4 F8 45 00 FB 38 UO 75 10 oc 08 3B 3U FB IE F8 33 5C 06 00 00 4 0S I # ■ ‫& ״‬ s + X II ► □ 10]hexvew-AQ | ‫ ]גל‬Structures 00 D8 68 60 8B 0? E8 08 38 F ft FF 9R 01 00 rc 8D 33 88 45 11 00 46 89 F6 37 8D FF 80 00 FF 7C 00 EC FF F5 41 49 r.7 15 FF 00 8B 75 85 CO O C 0C 00 73 40 47 EB 04 85 75 45 FF FF 73 03 81 15 F9 80 00 45 U4 FF E0 D8 87 /4 8D O H 72 fb 11 EB FC 48 53 74 FT 16 35 85 40 1C EC F0 FF F8 00 F0 D0 FF r6 33 33 U/ BD 84 E9 06 38 EF 89 88 F8 C7 RD 83 1C CO 60 39 fiO 01 FF F4 74 nr. 40 33 on F6 CO FE 78 C9 3B 41 C1 81 17 45 64 FE 44 C4 39 74 68 49 01 40 80 E6 20 33 00 CO 00 3b E9 FE C7 74 45 3B 73 7D 83 F8 00 FF 37 1C 49 05 DC 00 00 00 3D FF 83 49 E8 09 00 Db DD 56 FE O D O C 4D C1 F8 C7 89 00 50 04 89 00 E8 33 E8 60 FB D4 FF 65 00 ro 0? 53 59 00 50 FF 88 73 0U 8B 10 08 75 00 8D FF 18 FF 33 49 9D 8D FF 06 85 F8 50 D7 r6‫־‬ 89 86 1H 3B 8C 4n r/ 55 27 8B FC 8B 46 75 80 [JO fruns 15 FF 00 FF 85 F1 41 CQ 00 C7 FF 00 TF 5D 00 5.1 45 IE 8B F1 08 00 C1 88 F0 04 F4 5D 58 FF FF FF 60 FF 60 59 83 45 FF 55 75 F4 57 02 O C 46 C8 BB 8A 60 EB F8 RB 50 50 r4 DO FF 15 FF FE FF 00 75 65 F4 85 8R '3( 8V 68 00 73 48 8e D1 14 73 9C Cl 45 E8 Ffi 53 H ilt s‫ ־‬la r hr □ |no cebugger 40 C9 34 C2 FF 85 74 37 FC C3 CO EC E8 75 80 00 66 89 55 28 10 OF 89 E7 F8 BD BD E8 | £1) [irports 00 C2 DO 08 FF CO OF 83 00 73 74 RB 10 FB 38 b:i 8B /‫ל‬ 08 DO 88 FF 75 03 57 06 06 87 E8 04 40 08 58 74 68 3D 8D 48 05 8n 0D 89 01 C4 <D 1 FC 80 83 14 45 FC 8D 89 00 00 06 | (j* Expons . . . 5 . 9 1 . .x - e .F o■ a * t.F 3 * ‫־‬ .tl|s @ .h 3 1 . . 4 - 0 . j .U .9 I.F . Ui'8 . 8 d ___ Y P j . .a -Q .F ft a + t T F ) ‫ ־‬Q = ♦ .A . • t . h ♦ . A .F()1 a«-V117a= " 8 1 . - t a e ° .a e n .. E=!E = 31 -P ! E(+«;P . . .-@ .F u » a»t. F t! 3 + ■ * 8 4 )1 5 .‫■ ־‬ 1. I 8 ..F t...S U u .F .. . . ! ' ♦3 F : ! Y e J ( e u ‫ ״‬e u n u .3 * T !...U h g 8 . . . a t ! ! UPFP . . . 3 ‫־‬ . 3 * . ♦ ‫ ; | | א‬E . s fi'H .^ ..a * t.§ ..F « e u n ;E .r T ;E . s JI l+ IU .C < . .u.A;M.rtI‫־+־‬a • . s . ; - s - i ' U . e . .© . . FQUll . < * ‫ . . •. ״‬S . E °e C n e .2 J . 1 -d £ ou n 3+dH1E‫ ״‬e u n i * ‫ ־‬t . . 7 .S F d . . A*-YF°W» . . a t ‫ ; ׳‬P . F . P F ♦ .. . un .D7 . 1 ( PF ^ . . 1 . i ’ E .a . e . i ] ( S F 5 • z i T ] Dutpu: v.irdovi 9 X Executing fu n c tio n ‫־‬n ^ i n '._ . C o n p ilin g f i l e 'C :Prcgrazn F ile s . x8S )ID A Demo 6 . 3 id c o n lo a d .id s ‫׳‬ ii o c i i r i n c fim s tio a *Or-losd1 . . IDA i s a n a ly s in g ‫־‬ .Le In p u t r i l e . . . You nay s t a r t to e x p lo re th e in p u t f i l e r ig h t now. IDC [” Disk: S4GS F I G U R E 2 .2 2 : I D A P r o H e x V i e w - A r e s u lt. 24. Click Windows ‫ ^־־‬Structures. I V IDA Z:CCItve File Sdt Mu 07 Vuead omVuclc VuLeoccc o l it ssnWr s 1 ssKz irs iv1 c.x de r f Jump Sea‫׳‬d‫ ־‬View De3ugger 1 *111 * j] % ] & + Opbors I Wirdowsl Help 1‫־‬ ^ I f III ® I Load desktop... rP Sjve decctop. . ___________________________ ! £ Delete desktop... 7 | Functions woeov» [Jcj IE A View■ Rcse t desktop Ftncaon rarae 7] 71 7] 7] [Z] 71 Sub_‫־‬ H)10C0 Sub_011‫־‬S8 ‫־‬ sub_4012S4 SUb_013‫־‬A9 ‫־‬ sub_^013FA StartAddress ■ SUb_4017^J '‫־‬ 3 sub_4017^E 6ub_^018C8 7] 3 7] 7] 3 7] 7] 7) 7] 3 3 7] sub_40JB41 sub_^018E9 sub_401A£ SUb_-01EC2 sub_<022CC 5ub_402319 sub_<0 * < 6 sub_<0»80 3ub_*028‫־‬ © sub_402C3B sub_«)2D0D 5ab_-K)2D72 H sub_402xt Vn sub_40/EF0 1L 00 40730? 0O4073B2 004073C2 0 0 4 0 /3 0 2 064073E2 0A4073F2 00 407402 00407412 00 407422 0 0 4 0 /4 3 2 00407442 00407452 00407462 00 407472 0 0 4 0 /4 8 2 00407492 0040740? 00407482 0O4074C2 00407402 0O4074E2 047F O042 004075 02 00 407512 00407522 00407532 00407542 00 40755? © Windows list Next vlndow F6 Previous window Shift+F6 Ctose windoA‫׳‬ AH4P3 Focus commard Ine 3 8 0 8 U F 5 0 B 1 0‫כ‬ 58 FF 49 00 FF 9D FF FF 8D 85 6 0 FF E1 FF C 11 0O O1 85 CO 59 F8 00 83 5 0 C7 45 D7 FF FF 55 56 FF 75 89 5D F4 157 E8 5 0 02 3B 115 0n PC 1E **6 '*A 80 C8 |71 Functions window AH+1 f^= IDA View‫־‬A ] Alt+2 71 0 00 [o] hex V1ew‫־‬A Alt43 3 9 Alt 44 I ‫ ]״‬Enums Alt45 51 inports A > t4< g ] Exports Alt47 0 F 8 3 E‫־‬ v*ns no FF 15 FF FE FF 00 75 65 F4 85 SB 0C 89 68 00 73 >10 80 un C9 3* C2 FF 85 74 37 FC C3 C0 EC E8 75 80 | ft!} Imports no C2 DO 08 FF C0 OF 83 00 73 74 B8 ‫־‬ID F8 38 f8 01* 40 OB 50 7U 68 3D 8D 40 05 8C 00 89 01 ... | (‫ ♦ ן‬Export ] ■5-91- 0 a+t.F3 ♦ .X -(a .F +-. .1 1 1 b@.h_3I. -* *‫@־‬ . j.U .9 1 - F . 18 8 (1 > U . a j. a'| .a - G .F ft P a+t TF)• £= . .t.h «-.A + .A.F a+Vu7a“81..t de°.den.. E‫| ־‬E=_3I.P!E(+S@ . . .-@.Fu* a+t. FCJ 3+ -. .1 8*1 + 11 8. . F t . . .SU U.F.. . . 3 <‫ ; ; *נ‬V e ](e u ‫ ״‬e unu.3M;. . .wny8. ..at!! UPFP.. .a.3+.+x!! ;E.sFi'M .o. .a«-t .0 .. FOcun ; E . r T ; E .s J l'+ V U .C < .u .A ;M.r±l‘- — . 4 3 FB 1E F8 33 5C 06 00 00 OB 46 80 T6 37 8D FF BR 73 11 4 0 EB 47 FC ED48 0*♦53 85 7 4 75 FC 45 1 0 3B EF 89 8D E8 C7 8D 83 C1 81 17 45 64 FE 44 C4 73 7D 83 T8 Oft FF 37 10 C1 F8 C7 89 00 50 04 89 00 EB T8 8B 8D *46 (V. 5 0 FF 75 F4 5 0 18 RB 5D FI1 73 9C C1 45 E8 E8 53 OF 89 E7 F8 BO BO F8 • .s .;-S -K U .& ..3 . .F 0 d n . > °. ' . . s . E 1 *ofino. 2J . -dl'i‘iin 3 :d H i'Eetf11ni‘0 t . . 7 . S F d . . .i- i'E °W e . . h t P .F .P F + .. . u n .D 7 . u ( P F i . . 1 F .a - .P .i](S F g . JQOG73E2 I004073E2 : WinMiin (x,x, x, x) Line 7 of 258 ‫ ח ן‬Outpu: vwnoow g^-^-a-1 J:1 t3 •jl'. v . . urei TL'^ n m u — --e-- ■ E x e c u tin g fu r.c tio n •m a in * ... Compi 1in g f i l e •C:Erograa F il« a (xfl£)IDA. D«1 ix ‫ ־‬cu tia g fur.ctisr. ,O a lo a i1. . . IDA I s a n a ly s in g tn e in p u t r i l e . . . You may s t a r t to e x p lo re th e in p u t f i l e r ig h t roc *— □ Reset hidden messages. .. 8 X 6.2 ideonload.idc r ‫ב‬lie . Down FIGURE 2 3 IDA Pro Hex Structurem .2 : enu 25. The following is a liiid o w showing Structures (to expend structures click Ctrl and +). CEH Lab Manual Page 551 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 24. Module 07 - Viruses and Worms File Edt Jumo Sea‫־‬d‫ ־‬View Dexjqcer Opbors Windows Hdp Iv^lns d I*!lain a r r aoF^ III 7 ] Functions vwnoovr 5 X | QgiCAView-A BQQ0GGOG 06006090 06006090 06006000 06006090 00006030 0000009*1 06006008 06006008 00006018 06006018 Flticoot rame SUbj-OlOOO ]7 SUb_^011S8 | sub_<012S4 ]7 SUb_4013A9 ]2 sub_4013FA T l StartAddrcss, sub ] 7 _>017» sub ] 7 _>017^ 3 b4 1 c ] 7 u _ 0 8e sub_^018*l ] 7 sub_*018F9 £ Jub_-K)1A ] 7 sub_«01EC2 ] 7 ub_<0??CC« sub 3 _^0231 9 sub_>026‫» ־‬ 3 3 | [0] hex View-A ( X Structures Q CPPEH RECORD s tru c o ld esp | Exmrs | g j Imports | 0 3 Exparts dd ? exc p t r r e g is t r a t io n CPPEH RECORD ; (5 iz e o f- 0 x 1 8 ) ; SREF: s ta rte r ; c r t L C M a p S t r in q A ir . . . ; X R E F : start+ 2 3 T u ; s t a r t : l o c iiOfi'iUSTr . . . dd ? ; X R E F : s t a r t : l o c J!0 8 5 2 Ftr ; o F f s e t C1 3 EXCEPTION REGISTRATION ? ; X R E F : s t a r t : l o c *408*4CVtu 1 : c r t L C M a p s t r in q fH ‫01־‬fiTw . . . ends 3 3 S »jh 0 6 0 _4 3 a j ] sub_-K( 20‫־‬ 0 & Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 07 Viruses and Worms 5 ub_402C38 ] 7 ub* _ 40« 00 sub_-K)2D72 ] 7 SubjSOZXE ]7 sub_40I£E0 3 3 > 1 24. CPPEH SZCORD:G0G0 j l ojtpu: VtfnGOW E x e c u tin g fu r . c ti3 n ,m a in *__ C o n p ilin a f i l e 'C :E ro g ra m F ile s (x £ 6 'IE A Demo € . 3 id c o n lo a d .id c ' E x a c u tin g fu n e tiD n *O nload1. . . IDA i : a n a ly s in g th e in p u t f i l e . . . Toa may 3 - a r t to e x p lo re t i ‫־‬e In pa o r i l e r ig h t now. . ‫ע‬ IDC D is k . 343B F IG U R E 2.24: ID A Pro Hex Structure result 26. Click Windows IV Enums. ID ZCIteMu 0Vuead omVuclc VuUcoccc A : Cv o l 7irssnWr s 1 ssKz irs v!»c.x de r File Edt Juro ■ lafxl Sea-d* View Deouooer Opttors | Wirdows | Help 3 Hill » - -|||y= * ! , 1 * b b I ♦ , l Loaddesktcp,., M || ‫ ׳‬B II I - f runcbons vym dovr Ftncaon raree 7] S b H C U jK O O 71 s b4 1 9 u_ 018 3 sub_4012£4 7 ] S b- 1 ‫9 ־‬ U_ 0 3A $ xj► ‫ ש‬Q |r0 debugger S X ICA View- Reset desktop ‫־־‬ 3 3 5ub_0£*‫2־‬ C 3 sub_<0?2CC 7 ] Jub_102319 V sub_<02b‫־‬ « F6 Previous window Shift4F6 Cose window Alt4P3 Enuns | Imports | ||+] Exports ; XR EF: s t a r t e r _ ; _ crtLcnapstringfljr ... ; X R E F : start+ 2 3 T u ; s t a r t :1 0 c J4 f l8 5 U 3 t r . . . ; X R E F : s t a r t : lo c J 1 0 8 5 2 F t r ; o f f s e t 10N_REG IST R AT I OH ? ; XREF : s t a r t : l o c J * 0 8 4 c M u 1 Focus com and Ine m S b- ‫ ־‬U _ 0I7 B | dD £ eof-0x18) Next window 71 StartAddress 7 ] sub_*018C8 7 ] sub_<018*l sub_*018E9 7 ! 5ub_401A:E ;ture* Q Reset hidden messages. . Windows list 3 sub_^013FA 3 sub_4017^E Save deolctop... 1‫ פו‬to11 an* r ^u __________________________________ & Delete desktop... 0 ; _ crtLCM« pStrlngA+l fiTw ... _ Alt-tl ' [71 Functions wndow !3 ] IDA View■ A Alt42 [y] hex V1ew‫־‬A At+ 3 ia I At ‫י י‬ Strixturca Alt45 ^ 2 Imports At 46 ( 3 Exporto A lt-47 3 sub_<0?680 71 9ub_4028‫©־‬ 71 Sub_«02C3B 3 « _ 0T 1 Jb4 / X 0 3 6ub_40X72 S sub_402XE cub 403T0 < 1 24. CPPEH PZCOXD: C O OO Line 7 of 258 [§1 Outpu: wncow ■1:‫־‬H *'-■ 1 1 « -*•- * ‫ז‬ E x e c u tin g fu r.c tia n *m ain’ C o m p ilin g f i l o •C :rrog ra 31 F ilc a (»S6:IEA. Doj E x e c u tin g £ u r.c ti3 n 'O s I-3 e i' . . . IDA l a a n a ly s in g th e in p u t r i l e . . . S .3 id c o n lo You may ssart to explore the input f ile righ t IDC I H ie Sown FIGURE 2 5 IDA Pro Emims m .2 : enu. 27. A qindow appears, showing die Enum result. CEH Lab Manual Page 552 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 25. Module 07 - Viruses and Worms - ‫ ז בן‬xT File Edt Juno Sea-d‫ ־‬View Deougger Opliors Windows Help U 1 4 * & 1 % 1 / *Im Ii i » I j , ‫ *־‬e S is d i f c l f r l i i a i r r II I : ■ ‫ף‬ sub_*01000 sub_^011S8 sub_«012S4 SUb_*013A9 Sub_4013FA StartAddrcss sub_*017^b sub_<017^ 5ub_‫־‬ l018ce sub_4018*l sub_*018F9 8ub_401A£ sub_<01EC2 ftA_40220C sub_«02319 sub_4 ■® 026‫־‬ «jb_4056a0 5ub_‫־‬H)20■© 7] 3 7] 71 3 SubJ02C3B *ub_40X>00 sub_‫־‬H)2D72 sub_0‫־־‬Z>CE sub •0 ‫־‬EE0 ‫־‬ [|^ICA/iew-A ; In s /D e l/C tr l- E ; H /C tr l N ; U ; ; or : : : : : ; For b it f ie ld s Function name 3 3 [7 ] 2] 3 ^ Tj 7] 21 71 3 7] 7] 3 j] T 3 7] S X ­‫י‬ Functions vwnoovr th e l i n e ­ ‫ו‬ | [0]hexVlew‫־‬A J (X Structures JD Enure Q J Imports | (!*] Exparts c r e a t e / d e l e t e / e d i t e n u m e ra tio n ty p e s c r e a t e / e d i t a s y n b o l i c c o n s ta n t d e l e t e a s y m b o lic c o n s ta n t s e t a com m ent f o r t h e c u r r e n t i t e n p r e f i x e s d i s p l a y th e b itm a s k d ► *1 Line 7 of 258 Z. [ f l Outpu: wndow E x e c u tin g fu n c tio n C o n p ilin a f i l e 'C : Eroa ran Fi l e s 15 X (x £ 6 )ID A Demo S . 3 id c o n lo a d . id c '. . . IDA. i a a n a ly s in g Che m p u c £ i l e . . . Tou may 3 - a r t t o e x p lo re t‫׳‬r.e In p u t r i l e idc - ‫־‬H r ig h t now. r j 3 4 FIGURE 2 6IDAProE m r s lt. .2 : iiu s eu L a b A n a ly s is Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posUire and exposure. PLEASE T AL K TO YOUR I NSTRUCTOR IF YOU HAVE QUESTIONS R EL AT ED TO T H IS LAB. T o o l/ U t ilit y In fo rm a tio n C o lle cte d /O b je ctive s Achieved F ile name: face.exe O u tp u t: ID A Pro CEH Lab Manual Page 553 ■ ■ ■ ■ View functional calls Hex view-A View structures View enums Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 26. Module 07 - Viruses and Worms Q u e s t io n s 1. Analyze the chart generated with die dow chart and function calls; trv to find die possible detect that can be caused bv the virus file. 2. Try to analyze more virus files from die location D:CEH-ToolsCEHv8 Module 07 Viruses and WormsVirusesKlez Virus Live!. In te rn e t C onnectio n R equired □ Yes 0 No P latfo rm Supported 0 Classroom CEH Lab Manual Page 554 0 1Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 27. Module 07 - Viruses and Worms 3 V ir u s A n a l y s i s U s i n g V ir u s T o t a l Computer worms are maliciousprograms that rep/icate, execute, and spread themselves across network connections independently, without human interaction. I C O N K E Y / Valuable information y* Test your knowledge s ”eb exercise m Workbook review L a b S c e n a r io 111 today's online environment it's important to know what risks lie ahead at each click. Even‫ ־‬day millions o l people go online to find inform ation, to do business, to have a good time. There have been many warnings issues, about theft o f data: identity theft, phishing scams and pharming; most people have at least heard o f denial-of-service attacks and "zombie" computers, and now one more type o f online attack has emerged: holding data for ransom. Since you are an expert ethical hacker and penetration tester, the IT director instructs you to test the network for any viruses and worms that can damage 01‫ ־‬steal the organization’s information. 111 this lab we explain how to analyze a virus using online virus analysis services. L a b O b je c t iv e s The objective o f tins lab is to make students learn and understand how to make viruses and worms to test the organization’s firewall and antivirus programs. • & Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 07 Viruses and Worms Analyze virus files over the Internet L a b E n v ir o n m e n t To earn‫ ־‬out die lab, you need: ■ A computer running Windows Server 2012 as host machine ■ A web browser with Internet connection L a b D u r a t io n Time: 15 Minutes CEH Lab Manual Page 555 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 28. Module 07 - Viruses and Worms O v e r v ie w o f V ir u s a n d W o r m s Computer worms are m alicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm payloads to install backdoors in infected com puters, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks. Lab T asks — ‫ך‬ • ASK 1 VirusTotal Scanning service 1. Open a web browser 111 the Windows Server 2012 host machine, 2. Access die website http: / / www.v1n 1stotal.com. V irusTotal [F ie Edit /!ew Free O n lin e Virus, M alw are and URL Scanner M ozilla F ircfox History Bookmarks Tools Help 1 1 1 VrusTotal ‫ ־‬Free Online Virus, Malware ‫...ג‬ > ^ A hrtpcj'/unv^yv 1rurtotal.com ■A Comnuiity Sta'isticb e l k i ' Google Ducjir entatior FAQ About ► H v ir u s t o t a l VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms trojans, and all kinds of malware No fie sc cc:cJ Maximum Tile size 321/18 Dy clicking 'Scan itf. you consent 10 ou! Terms of Serice and allow VirusTotal 10 char• this Mo with the security corrmunny See our Privacy Policy tor details. You may prefsr to scar a URL or search through the VirusTotal datasst Englsh Espan‫כ‬ Rlnn I Twitter I r.nntar.tlfivinisrota: r.nm I fi.inal•* rrniios I Tnfi I Prvar.v FIGURE 3 :V sT ta H m P g .1 iru o l o e a e 3. 4. Click die Choose file button, and select a vims hie located 111 D:CEHToolsCEHv8 Module 07 Viruses and WormsWirusestini.exe. 5. CEH Lab Manual Page 556 The A"mis Total website is used to analyze online viruses. Click Open. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 29. Module 07 - Viruses and Worms F VirusTotal Tree Online Virus, M alw are and URL Scanner M ozilla H rcfox E File U pload (^ ) v O ~ ^1 Organize ‫״־‬ Search Viruses CEHv8Module07v'ru5Ma• ► Viruses • -t • m New folder £ 0o *nJca ' ‫י‬ Date mocEficd Type J_. Win32.Botvoice.A Recent p J 1 Music Name 4/12/20111:10 PM File fclder File fclder J . Wm32Cd_infected@Ch 4/12/20111:10 PP^ J_. Win32.Loretto.E©ch 4/12/2011 0‫ ו:ו‬pm File fclder Win32.Minip2p©Ch 4^12/20111:10 PM File fclder J . Win32Wamet.B.MassiveW@RMM 4/12/2011 File fclder L1bra1‫?»׳‬ 0? Documet J 1 Music “ Siz b PM io 4/12/20111:10 PM J 4/12/20*11:10 PM File fclder 8 J . ysor 4/12/2011 1:10 PM File fclder J . levach Hy Youc nu lo da y =1 a pa n in fectedfiletoa a z n ly e J* worm_cris S i Pictures 9/22/20122:16 PM File fclder U netbu»17.rar 4/4/2011 5:48 PM WinRARorchivc /deos •® Compute! U !■< 0 m ©1 3 0 yanetha 02 AM | ■ ' tini cxc . ■ L©<al&s r A/A/20)1 H 7 PM ■1(1 10 1 File fclder Application WiaRAR ZIP arehiv* D «v 1 You may prefer to scan a URL 01 search thicugh the VirusTotal dataset Engl sh ‫ ־‬Espaficl Hlnn I Iwittor I rnntapffeflvmifitiral rnm I :•imnie riming I IrS 1Pru/arv nnlirv FIGURE 3 :S le tafilefo V sa a s .2 e c r iru nly is 6. Click Scan it!. VirusTotal Tree Online Virus, M a'w a rc and URL Scanner M ozilla Firefox ‫־‬ Eie Edit Vew Hiilory Bocknidrki looli Help 1 VrutTatil ‫ ־‬hr** Onhn# Virus, Malware it.. | 4‫־‬ ^ & T o o ls demonstrated in this lab are available in D:CEHToolsCEHv8 Module 07 Viruses and Worms a ri A Community ‫,׳-.י‬wwwvmictotal.n Statistics ‫ ־‬C I 15 1 ‫ ״־‬Googl# Documentation faq P * About £2 v i r u s t o t a i VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans and all kinds of malware Choose File Maximum fie size. 32MB By clicking ,Scan itr. you consent to our Terms of Service and allow VirusTotal to share this file with the security commurwy See our Privacy Policy tbr details You may pr»lw to scan a URL or search through tho VirusTotal dataset Engl!«h - bsparicl Bing I Twill ft! I f^nlarJjShiruslnial com 1 beanie a-axa 1Tc£ 1Privacy nnlicv FIGURE 3 :Q S n b tto tos n th file fo a a s .3 ick e d u n e d e s r n ly is 7. 8. CEH Lab Manual Page 557 The selected tile w ill be sent to die server for analysis. Click Reanalyse. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 30. Module 07 - Viruses and Worms VirusTotal Tree Online Virus, M alw are and URL Scanner M ozilla Firefox fie £d View History Ecckm r. arks Tools Help '/rwTotil - frte Onhne Virus. Malware a... | 4‫־‬ ^ ♦ fi https•/ w virustotalcom File already analysed This file was already analysed by VirusTotal cr 2012-09-21 17:32:24. 91 Detection ratio 40/43 You can take a look at the last analysis cc analyse it agar now. Choose HI# Maximum Me s!2 e 32MB By clicking ,Scan it!* you consent to our ta rn s of Seruce and allow Viruslotal to share this file with the security communty See our Pnvacy Policy for details You may prefer to scan a URL 01 search thicugh the VirusTotal dataset FIGURE 3 :S n in File .4 e d g 9. The selected hie analysis queues are scanned, as shown in die following figure. A n tiviru s scan fo r b7513cc75c68bdcc96c814544717c413 a t UTC | fie Ij & V ca Edit 4‫י‬ i VirusTotal M o zilla fire fo x “ I ‫ם‬ x Ustory Bookmarks Tools Help Antivirus sr»n ferh/M i##/Vt!HbrUryt>r... j 4‫־‬ f t ^rtj>c‫/׳‬v»wwv1r1.1rtot»l.co1n/t11<*/%S4hb;4H1<WHtt;b0hji»9b1f»‘>y/r0rt^1H«o ( 1 Community Statistics Documentaihn FAQ C | About ‫ ״־‬Googl• P # Join our com mu‫׳‬ ‫ו‬ 1 ‫פ‬ 1 s tv ir u s t o t a l O Your £13 is at position 4397 in the analysis queue. SHA256: 9654bb748199882b0fb29b1fa597cOcfe3b9d61Oadi4183aDbUCf3fafEee527 File name‫־‬ tin! exe V War# d«taiB Comments Votes Additional information l BuqBoppor idontifoc thic filo ac Tinv.aoni More info htto ‫/׳‬BuaBoooor c:>1r./M3lwaro rf0.MD5/b7/b76l3co75c&8bd0c96c811‫׳‬S447170413 aeo 1 #tr> #bkdr c #tini n t l M 2 years *‫ יע‬oy 1 ighrpo^rtiuy You havo not signod in. Only rogictorod ucorc can loavo comments sign in and ha%o a voice! S gn h Join the community . L > FIGURE 3 :S a n dFile .5 c n e 10. A detailed report w ill be displayed after analysis. CEH Lab Manual Page 558 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 31. Module 07 - Viruses and Worms Antivirus scan for b7513ec75c68bdec96c8l4644717e413 at UTC m VirusTotal Mozilla Firefox I ‫ ־‬I ‫! ם‬ x m [ Filr Fdit View Hiitary root' M i. TooJ H «‫־‬lp j |> Antivirus s:3‫־ • ־׳‬t . 5' icc/icbfcbiccVfcc.. | + 1 0 1 ^ i h!tpsy/w*w/virustotalxonrvfil€/9eS4bo74S'9M32b0fb29blfa597c0de3b9d610adf4l83a0M40fJfaf5ee527‫׳‬analy51s/1344J0418t t v C Statistics A i S v i r u s t Documentation o t a FAQ About 1 ‫■י‬ 41 Google P Join our community Sigo in * 1 ‫׳‬ l SHA266 9654bb748199882b0lb29b1fa597c0cfe3b9d610adid 188aDM4 Of3fa5ee527 SHA1: 3f8e7SdO*3e33e8eebOdd991f22ccObb44aOB98c MD5 b7513ee75c68bdec96c814W4717e413 Fit• 520 3.0 KB ( 3072 bytos ) File name tro exe File lype 'Art03? EXE Detect 0‫ ר‬ratio 39/42 Anal/sis dale 2012-09-22 08 56 26 UTC ( 1 minute ago ) © 5 ® 0 A M deuic ore Antivirus Update Backdoor.Tiny'AaycdfDNCxtfi 20120921 AntiVir " Result Agntjm BDS/Tini B 20120922 ............ ___ ......................... FIGURE 3 :FieQ e e fo a a s .6 u u d r n ly is a Antivirus scan for b7513ee75c68bdec96c814644717e413 at UTC F!lt» Fdit Vi‫־‬v« HkJor/ Fo itr w lv VirusTotal Mozilla Firefox 1 ‫ד» ו °ו‬ - 70014 M*|p ► Art!™: scar forb513‫׳־‬cc75<Mbd«c%c. | ■ 1 I < AhttpR//vm‫.־‬vvwustotal^om t . c 4 <^‫׳‬bb;4«ll/>tt^bOtb2ybifa59rcOcfcibydOK>adf418fi*Ot)44C1»aricc^;/an»V'tt'>^W « ' ‫ ־‬M l Documentation FAQ C‫ ״‬i f ‫ ־‬Gooqlc About Antivirus Result ll|1d * rtl♦ Agnfcum Backdoor TinyiAaycdfDNCwQ 20120921 AntiVir BDSffini B 20120922 Artiy-AVL Backdoor/Win32.Try.g&n 20120911 Avast Win32:Tmy‫[ ־‬TnJ XU 20120921 AVG BackDoorTiny A 20120922 BrtDefender Backdoor.Tiny.B 20120922 CAT QuickCal Backdoor.Tiny.c.n3 20120922 OamAV Trojan Tiny-1 20120922 Comirtouch W32fMalvarelda0d 20120921 Comodo Backdoor Win32.Tny.B 20120922 ByteHero 20120918 DrWeb BackDooi Tiny 88 20120922 bmsJDCt Backdoor Win32.Trry.c!K 20120919 eSafe Win32 BackDoor IQ B 20120920 FIGURE 3 :A a z gd file .7 n ly in ie L a b A n a ly s is Analyze and document die results related to die lab exercise. Give your opinion 011 your target’s security posture and exposure. CEH Lab Manual Page 559 Ediical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 32. Module 07 - Viruses and Worms PLEASE T AL K TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS R EL AT ED TO T H IS LAB. T o o l/ U tilit y In fo rm a tio n C o lle cte d /O b je ctive s Achieved Scan R eport shows: V iru s Total ■ ■ ■ ■ ■ ■ ■ ■ SHA256 SHA1 MD5 File size File name File type Detection ration Analysis date Q u e s t io n s 1. Analyze more vims files to m D:CEH-ToolsCEHv8 Module 07 Viruses and WormsWiruses w ith the demonstrated process. In te rn e t C onnection R equired 0 Yes □ No P la tfo rm Supported 0 Classroom CEH Lab Manual Page 560 □ iLabs Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 33. Module 07 - Viruses and Worms S c a n fo r V ir u s e s U s in g K a s p e r s k y A n t iv ir u s 2 0 1 3 Computer n ‫׳‬nus are maliciousprograms that replicate, execute, and spread o themselves across nehvork connections independently, mthout human interaction. I CON KEY L a b S c e n a r io _ Valuable information Today, many people rely o il computers to do w ork and create or store useful inform ation. Therefore, it is im portant tor the inform ation on the computer to be stored and kept properly. It is also extremely im portant for people on computers to protect their computer from data loss, misuse, and abuse. For example, it is crucial for businesses to keep inform ation they have secure so that hackers can't access the information. Home users also need to take means to make sure that their credit card numbers are secure when they are participating in online transactions. A computer security risk is any action that could cause loss o f inform ation, software, data, processing incompatibilities, 01‫ ־‬cause damage to computer hardware. Test your knowledge Web exercise m Workbook review Once you start suspecting that there is spyware 011 your computer system, you must act at once. The best thing to do is to use spyware remover software. The spyware remover software is a kind o f program that scans the computer tiles and settings and eliminates those malicious programs that you actually do not want to keep 011 your operating system. In tliis lab Kaspersky Antivirus 2013 program detect the malicious programs and vulnerabilities in the system. L a b O b je c t iv e s & Tools demonstrated in The objective o f tins lab is to make students learn and understand how to make this lab are viruses and worms to test the organization’s tirewall and antivirus programs. available in D:CEHL a b E n v ir o n m e n t ToolsCEHv8 Module 07 Viruses To earn‫ ־‬out die lab, you need: and Worms ” Kaspersky A ntivirus 2013 is located at D:CEH-T00lsCEHv8 Module 07 Viruses and WormsAnti-Virus ToolsKaspersky Anti-Virus CEH Lab Manual Page 561 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 34. Module 07 - Viruses and Worms ■ m D w lo dth ona e K s e k A tiv s21 a p rs y n iru 03 fro th lin me k h :/ w wk s es yc m ttp / w . apr k . o / a ti- iru nv s You can also download the latest version o f Kaspersky Antivirus 2013 from the link http://w w w .kaspe1‫־‬sla‫.־‬com/anti-virus ■ I f vou decide to download the latest version, then screenshots shown 111 the lab m ight differ ■ Run tins tool in Windows 7 virtual machine ■ Active Internet connection L a b D u r a t io n Time: 15 Minutes O v e r v ie w o f V ir u s a n d W o r m s Computer worms are m alicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm pavloads to install backdoors in infected com puters, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks. Lab T asks — TAS K 1 Note: Before running tins lab, take a snapshot o f your virtual machine. 1. Start the Windows 7 Virtual Machine. 2. Before scaminig die disk, nifect die disk w idi vinises. 3. Open die CEH-Tools folder and browse to the location Z:CEHToolsCEHv8 Module 07 Viruses and WormsYViruses. 4. Scan the System to Detect Virus Double-click die tini.exe file. ■ 1 1M FIGURE 4 :T V sfile .1 ini iru m A van e a ti- h h g d c d n p is in te h o g sp a tiv ly c n lo ie ro c e d te tfra d le tURLsa d e c uu n n uer a tim in rmtio s e l- e fo a n fro th c u ,toh lp m e lo d e e s r y uren ttric e in nue o ’ o k d to d c s gy u v lu b d ta is lo in o r a a le a top is in wbite. h h g es s CEH Lab Manual Page 562 5. Open die CEH-Tools folder and browse to the location Z:CEHv8 Module 07 Viruses and WormsVirusesnetbus17. 6. Double-click the Patch.exe file. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 35. Module 07 - Viruses and Worms 7. Open die CEH-Tools folder and browse to the location Z:CEHv8 Module 07 Viruses and WormsVirusesKlez Virus Live!. 8. Double-click die face.exe tile. u ‫יזי‬ Kaspersky Protects against all viruses by combining cloudbased functionality and powerful security technologies that runs on your PC AVKillah Blaster ‫«־‬ + digital doom Chernobel Doomjuice.a DrDeathviruses killharddisk CodeRed.a * Doomjuice.b HD- Lnwtg Living Parparosa FIGURE 4 :F c V sfile .3 a e iru 9. Note diat diese tools will not reflect any changes. 10. Go to die location D:CEH-ToolsCEHv8 Module 07 Viruses and WormsAnti-Virus ToolsKaspersky Anti-Virus. m K sp rsk A ti- iru a e yn V s 2 1 w rk bliin - e 0 3 o s e d ths e e —e n in y ua d c n s d fe d g o n y u PCa a s v s s o r g int iru e , s y a ,T ja s ro tk a d pwre ro n , o its n o e th a th r re ts 11. Install Kaspersky Antivirus 2013 software 111 Windows 7. 12. W ’lule installing it will ask for activation; click Activate Trial Version and dien click Next. 13. The main window o f Kasperskv Antivirus 2013 as show 111 below figure. CEH Lab Manual Page 563 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 36. Module 07 - Viruses and Worms 1 * KA$PER$KY! 1 _ hi Cloud protection ' X ‫י׳‬ o Reports Settings Computer is protected ! Threats: mlwr a ae e a le nb d hv ntudt df ralogtim ae o pae o n e License: 3 d y re a in 0 as min g / Protection components: V ' Databases: s/ A o © Scan Help Support X Update 5 Tools > Quarantine My Kaspersky Account Licensing FIGURE 4 :K s e k minw d w .4 a p rs y a in o 14. Select Scan Icon. ' a ’_ ' x " KA$PER$KYI hi Cloud protection y= s e k A tiv s J.Ka p rs y n iru 2 1 isfu c ma lew i 0 3 lly o p tib id M ro ft’sla s o e tin ic so te t p ra g ss m y te Q Reports Settings Computer is protected ! X V Threats: mlwr a ae Protection components: e a le nb d >/ Databases: hv ntudte fo alogtim a e o pa d r n e ■■ V License: 3 dy r min g 0 as e a in A ® O Scan Help Support 5 X Update Tools My Kaspersky Account > Quarantine Licensing FIGURE 4 :K s e k ‫׳‬S a w d w .5 a p rs v c n in o 15. Select Full Scan to scan the computer (Windows 7 Virtual Machine). CEH Lab Manual Page 564 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 37. Module 07 - Viruses and Worms kaJper Jk y i Full Scan O Reports Settings Scan Back Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 07 Viruses and Worms hi Cloud protection M anage tasks Critical Areas Scan Scans your entire computer We recommend you run a Full Scar immediately after installing the application. Note that this may take sometime ^ ^ Aquick scan of objects that are loaded with the operating system at startup. It does not require much time Vulnerability Scan Scans your system and applications for vulnerabilities that may allow for malicious attacks ^ For a custom scan of an object drag it here or browse tor it Help Support My Kaspersky Account FIGURE 4 :K s e k S rtin falls a .6 a p rs y ta g c n 16. It w ill display die Full scan window. Click Scan now. Q. KA$PER$KYI — X hi Cloud protection & Reports Settings Scan m K sp rsk A ti- iru a e yn V s Kaspersky Anti-Virus 2013 2 1 iso tim e s th tit 0 3 p is d o a d e n th v as n a t o s o a e ig ific n im a to n tw rka tiv , p c n e o c ity th in ta tio ofpo r m, e s lla n r ga s th la n hofwbb we e u c e ro s rs o d la nhofpo r m. r ie u c r ga s Full Scan Scans your entire com d We recommend you ru immediately alter insta application. Note that tl sometime Databases are out of date. New threats can be mrssed durng scanning. W e strongly recommend to wait untJ the update is completed. S c a n a f t e r th e u p d a te > are loaded that tem at startup. It !time. (re c o m m e n d e d ) Scan task w i be run after the databases are updated Vulnerability Scan ^ Scan now Scan task w i be run before update is completed ^ Scans your system an( for vulnerabilities that n malicious attacks You are using ‫ ג‬trial version. You a re a d vtsed to pu rcha se a co m m e rcial ve rsion. For a custom scan of an object drag it here or Drowsefri o t Help Support My Kaspersky Account Licensing FIGURE 4 :S a n gpoe s .7 c n in r c s 17. Kaspersky Antivirus 2013 scans die computer. (It w ill be take some time so be patient.) CEH Lab Manual Page 565 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 38. Module 07 - Viruses and Worms Q '“ 1 x . m Evenifyo rPCa d u n th a p a n ru n go it e p lic tio s n in n h v n b e u d te w d a e ’t e n p a d ith ie la s fix s K s e k A tite t e , a p rs y n V s2 1 c np v n iru 0 3 a re e t e p ita nofv ln ra ilitie x lo tio u e b s b: y k a $p e r $k i!i C lou d p r o te c t io n & Reports Settings Scan Critical Areas Scan 11 Annirk Qran nf nhiprta that are loaded — x tartup. It Remainina. - n ‫״‬ules_ n Task Manager • c n llin th la n hof o tro g e u c e e u b file fro x c ta le s m ap a n w p lic tio s ith v ln ra ilitie ueb s Full Scan 50% Scanning: C:Wlndowswrnsxsamd64_miao 30d42t42615860flpres dll m ul Remaining: 9 minutes Scanned: • 3 1 riles 1 .1 8 Threats: 6 Neutralized: 0 When scan is complete keep the com puter turned on • a a s gth b h v u n ly in e e a io r ofe e u b file fo x c ta le s r a ys ila sw n im ritie ith mlic u po r m a io s r ga s • re tric gth a tio s s tin e c n a w db a p a n llo e y p lic tio s w v ln ra ilitie ith u e b s ‫®כ‬ Close Help Support My Kaspersky Account FIGURE 4 :S a n gpoe s .8 c n in r c s 18. The Virus Scan window appears; it w ill ask lor to perform a special disinfection procedure. 19. Click Yes, disinfect w ith reboot (recommended). Kaspersky Anti-Virus 2013 V U S A IR S C N Active malware detected. m T eminin rfa e h a te c w d wiso tim e toh lp in o p is d e b o tp rfo a c a des o s e rmn e n ae ofuefo mn p p la ue s r a y o u r sr s e a s— c d g c n rio in lu in la n h gs a sa dfix g u c in c n n in p bm ro le s Trojan program: Backdoor.W in32.Netbus.170 © Location: c:Windowspatch.exe Do you want to perform a special disinfection procedure? ^ Yes, disinfect with reboot (recommended) T ems re b d in c nmth d a wic th h ot lia le is fe tio e o , fter h h e c mu rw b re o te . W r c m e dy ud s a o p te ill e b o d e eo mn o o e ll r n in a p a n a ds v y u d ta u n g p lic tio s n a e o r a ._________ !#• Do not run O je tw b p c s e a c rd gtoth s le te a tio , b c ill e roe s d c o in eec dc n T ec mu rw n tb re o te . h o p te ill o e b o d You are using a trial version. You a re advised to p u rch ase a com m ercial version. Apply to all objects FIGURE 4 :D te tin d mlwre .9 e c g ie a a CEH Lab Manual Page 566 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 39. Module 07 - Viruses and Worms 20. The Advanced Disinfection scan will start; it will scan the complete system (tins may take some tune). 1 a 1 - 1 1' ‫ד‬ k a Jper Jk y i _ r» Task Manager x •ts Settings !age tasks Advanced Disinfection 49% Object: C WindowsSystem32msasn1 dll Remaining: < minute 1 Scanned: 2,648 tiles Threats: I Neutralized: 1 loaded rtup It Full Scan 'S Completed: < minute ago 1 Scanned: 83,366 files Threats: 5 Neutralized: 4 Vulnerability Help Support My Kaspersky Account FIGURE 4 0A v n e D in c ns a n g .1 : d a c d is fe tio c n in 21. The cleaned vinises will appears, as shown in the following figure. r% Detailed report 0 & Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 07 Viruses and Worms Detected threats 8 Protection Center ► Today, 9/24/2012 Scan View w | Components ^2 File Anti-Virus Event Object D Full Scan: completed 33 minutes ago Time - (events: 38. objects: 83366. time: 00:14:33) t l . M ail Anti-Virus Task completed W e b Anti-Virus ^ IM Anti-Virus ® System Watcher A KeyHook.dll 9/24/2012 5:33:55 PM W ill be deleted on reboot... 9/24/2012 5:33:55 PM KeyHook.dll Backed up: Backdoor.Win... 9/24/2012 5:33:55 PM O KeyHook.dll Detected: Backdoor.Win3... tini.exe 9/24/2012 5:33:55 PM Not processed: Backdoor.... 9/24/2012 5:33:54 PM O tini.exe Detected: Backdoor.Win3... A patch.exe W ill be deleted on reboot... 9/24/2012 5:33:40 PM patch.exe Backed up: Backdoor.Win... 9/24/2012 5:33:40 PM © patch.exe Detected: Backdoor.Win3... patch.exe 9/24/2012 5:33:40 PM 9/24/2012 5:33:35 PM Deleted: Backdoor.Win32.... 9/24/2012 5:33:34 PM NetBus.exe Deleted: Backdoor.Win32.... 9/24/2012 5:33:34 PM m * G roup : Full Scan Events: 38 H elp Save.. FIGURE 4 1C a e in c dfile .1: le n d fe te s L a b A n a ly s is Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posture and exposure. CEH Lab Manual Page 567 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 40. Module 07 - Viruses and Worms PLEASE T AL K TO YOUR I NSTRUCTOR IF YOU HAVE QUESTIONS R EL AT ED TO T H IS LAB. T o o l/ U tilit y Kaspersky A n tiv iru s 2013 In fo rm a tio n C o lle cte d /O b je ctive s Achieved Result: List o f detected vulnerabilities 111 the system Q u e s t io n s 1. Using die tinal report, analyze die processes affected by the virus hies. In te rn e t C onnectio n R equired □ Yes 0 No P la tfo rm Supported 0 Classroom CEH Lab Manual Page 568 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 41. Module 07 - Viruses and Worms Lab V ir u s A n a l y s i s U s i n g O lly D b g OllyDbg is a debugger that emphasises binaiy rode analysis, nhich is useful when source code is not available. It traces registers, recognises procedures, _4 P I calls, sn ‫׳‬ itches, tables, constants and strings, as well as locates routinesfrom objectfiles and libraries. I C O N K E Y £ Valuable _ information >> Test your knowledge = Web exercise m Workbook review L a b S c e n a r io There are literally thousands ot malicious logic programs and new ones come out all the time, so that's why it's im portant to keep up-to-date w ith the new ones that come out. Many websites keep track o f tins. There is no known method for providing 100% protection for any computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to significantly reduce their chances o f being infected by one o f those malicious programs. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms w ill damage or steal the organization’s mformation. 1 1 this lab ollvDbg is used to analyze viruses 1 registers, procedures, A P I calls, tables, libraries, constants, and strings. L a b O b je c t iv e s The objective o f tins lab is to make students learn and understand analysis o f the viruses. & Tools demonstrated in this lab are available in D:CEHToolsCEHv8 Module 07 Viruses and Worms L a b E n v ir o n m e n t To earn‫ ־‬out die lab, you need: ■ OllyDbg tool located at D:CEH-ToolsCEHv8 Module 07 Viruses and WormsDebugging ToolOllyDbg ■ A computer running Windows Server 2012 as host machine ■ You can also download the latest version o f OllyDbg from the link http: / / www.ollvdbg.de / ‫י‬ Run tins tool on Windows Server 2012 Admnnstradve privileges to m n tools CEH Lab Manual Page 569 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 42. Module 07 - Viruses and Worms L a b D u r a t io n Tune: 10 Minutes Overview of OllyDbg The debugging engine is now more stable, especially i f one steps into the exception handlers. There is a new debugging option, "Set permanent breakpoints 011 system calls." When active, it requests OllyDbg to set breakpoints 011 KERNEL32.Unl1a11dledExceptionF11ter Q, NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue(), and N TD LL.N tQ uen’InlormationProcess(}. Lab T asks — ** t a s k 1 1. Debug a Virus 1 1 . Launch die OllyDbg tool. Installation is not required for OllyDbg. Doubleclick and launch die ollydbg.exe tile. 2. The OllyDbg window appears. 5 File OllyDbg View l i i Debug Trace Options ► j_11J H I M j± Windows 1- 1‫' ם‬ Help 9 uj jJijM j _ j_ _ H b mj hj m Youcana o ls d w lo dth la s versio o n a e te t n ofO bgfro d lin llyD m ie k h ://w w llyd g e ttp w .o b .d O Dgv .0 (inemd t v r io •ne dv lo mn!) lly b 2 0 t r e iae es n udr ee p e t Ra y ed FIGURE 5 :O b minw d w .1 llyD g a in o 3. 4. Browse to D:CEH-T00lsCEHv8 Module 07 Viruses and WormsWirusesWirus Totaltini.exe, 5. CEH Lab Manual Page 570 Go to File from menu bar and click Open... Click Open. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 43. Module 07 - Viruses and Worms — OllyDbg File View Debug Trace Options Windows [&l<4 xj ►j+jjE *M W E m D fo ats. D m ata rm u p w d w d p yd tainall in o s is la a c m o fo a : o m n rmts h x d c a ASCII, e a e iml, UNICODE, 1 -n 3 - it 6a d 2 b s n d u s n d lie a e i ig e / n ig e / x d c ml in g rs 3 / 4 8 - it a te e , 2 6 / 0 b flo a d s e , ats, d re s s d a s m ly(M , is s e b ASM IDEAL, HLA o AT&T). r % Help uJ *]™I »J Select 32-bit executable and specify arguments Look in: | . Virus Total Vj ‫י־‬ * Name ^ EH!)• * • Date modified T) 6/23/2005 4:03 AM | [■j! tini.exe a| < l Filename: |tm.exe 1 files of type: |Executable file f exe) Open ‫פו‬ Cancel Argum ents: ‫פו‬ O Dgv .0 (inemd t v r io ■ne dv lo mn!) lly b 2 0 t r e iae es n udr ee p e t Ra y ed FIGURE 5 :S le tt i-x V sto l .2 e c in e e itu ta 6. The output o f CPU-main thread, module tini is shown in die following figure. File View OllyDbg - tini.exe Debug Trace Options Windows Help »|<4_xj ►j♦]‫ ] ״‬MlUiiJll] ^ | u _Lj_Ej_Mj Tj_cj-‫ |״‬Bj Mj_Hj l_] CPU - main thread, module tini m OllyDbgcand b g eu m ltith a a p a n u re d p lic tio s. Youc nsw fro o e a itch m n th a toa o e s s e d re d n th r, u p n , re u ea dkill th a so sm n re d r c a g dieirp ritie hn e rio s. 00401005 0040100ft 0040100F 00401011 00401013 00401015 0040101ft 0040101F 00401028 00401032 0040103B 0040103D 00401042 00401048 0040104D ............. PUSH OFFSET t i n i ■00403014 PUSH 101 CALL < JMP.&WS0CK32.«115> 60 06 PUSH 6 PUSH 1 60 01 60 02 PUSH 2 JMP.&WS0CK32.023> E8 D0020000 COLL < 03 02314000 M U D O PTR DS:[4031O2D.EOX O W RD O O 66: C70S 0631‫ ׳‬M U W RD PTR DS:[403106 2 ,‫נ‬ O W RD C705 0031400! M U D O PTR DS:[403100],0 O O 66:C705 0831‫ ׳‬M U W RD PTR DS:[403108],61 IE PUSH 10 60 10 68 06314000 PUSH OFFSET t i n i .00403106 FF35 02314001 PUSH D O PTR DS:[4031023 W RD JMP.&WS0CK32.#2> E8 85020000 COLL < 60 05 ‫־‬ o X KERNEL32.754E83CD — 68 14304000 6 0000 8 1100 E8 B7020000 F F 3 c; Q • rr.-lri I ?31 4 0fll pu sh ni.ir.Rn p t r n fi- r4 ft3 1 0 ? 1 Stack [0018FFS4:=0 Inn=t in i . 00403014 t in i.<ModuI eEntryPoint> Address He 00403000 65 00403010 63 6F 60 00 00 00 00403020 00 00 00 00 00 00 00403030 00 00 00 00 00 00 00403040 00 00 00 00 00 00 00403050 00 00 00 00 00 00 00403060 00 00 00 00 00 00 .1.• 00 00 00 00403070 00 00403080 00 00 00 00 00 00 00403090 00 00 00 00 00 00 004030A0 00 00 00 00 00 00 004030B0 00 00 00 00 00 00 004030C0 00 00 00 00 00 00 EAX 754E83CD ECX 00000000 EDX 00401000 EBX 7F4D9000 ESP 0018FF88 EBP 0018FF90 {-SI 00000000 EDI 00000000 EIP 00401000 C 0 ES 002B P 1 CS 0023 A 0 SS 002B Z 1 DS 002B S 0 FS 0053 ‫ 0 ז‬GS 002B u t in i.<ModuleEntryPc t in i.<ModuleEntryPc 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 7F4DF000(FFF 32bit 0(FFFFFFFF) 0 0 0 LastErr 00000000 ERROR_SUCC EFL 00000246 (NO,NB,E,BE,NS,PE,C 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 00 00 00 00 00 00 00 00 00 00 00 00 6F 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 00 00 00 00 00 Ml• 00 00 00 00 00 6 1----- 00 0e— 06 06 0s 06 06 0 6 0 6 06 06 06 v 0018FF8C 0018FF90 0018FF94 0018FF98 0018FF9C 0018FFft0 0018FFfi4 0018FFO8 0018FFAC 0018FFB0 0018FFB4 0018FFB8 0018FFBC 001ftFFP.PI 754E830B 7F4D9000 0018FFD4 77D99A3F 7F4D9000 6B4E77CD ■aNu RETURN t o KERNEL32.754E‫־‬ . eM 6 ?ut. RETURN to Jw .Ehfi ntdl1.77D99A3 0000 =wMk 0000 0000 0000 7F4D9000 116F2FC7 FFFFF802 0BD7CB80 FFFFFA80 0018FF9C £ t. 0000 0000 E typin ominmdle nr o t f a ou Paused FIGURE 5 :CPUu a noftine e .3 tiliz tio Lx 7. CEH Lab Manual Page 571 Click View from die menu bar, and dien click Log (Alt+L). Etliical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 44. M odule 07 - V iru ses and W orm s O l ly D b g - tin i.e x e File | View | Debug Trace Options Windows Help j J j J jwJxl_cJ1d Executable modules |= J 00■ re ad , m o d u le tin i Memory map £ 0 Full U N IC O D E support. A ll operations available for A S C II strings are also available for U N IC O D E , and vice versa. OllyDbg is able to recognize U T F strings. 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 sisters (FPU) 754E83CD KERNEL32. 754E83C0 Threads 00401000 Xi n i . <ModuieEntryPq 7E546000 0018FF88 ■ 0018FF90 CPU 2.a23> [403102],EO X 403106:,2 [4031003,0 ^03108],611E Watches Search results 0000 0000 00401000 ES 002B CS 0023 SS 002B D 002B S FS 0053 G 002B S Run trace INT3 breakpoints Memory breakpoints -8 t i n i . <ModuIeEntryPq 32bit 0(FFFFFFFF) | 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 7E54F000(FFF), 32bit 0(FFFFFFFF) Hardware breakpoints t in Odd File... 0O4W ^- 00403010 00403020 00403030 00403040 00403050 00463060 00403070 63 6F M 00 M 00 00 00 00 00 00 00 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 m m m m m m m m m m m m 00 00 00 00 00 bj— 00 06— 0 C 06 06 06 06 06 06 06 06— 06 v Open Log window Paused F IG U R E 5.4: Select log information 8. The output of log data t1111.exe is shown 111 die following figure. _ O l ly D b g - tin i.e x e File View Debug Trace Options Windows O llyDbg su pports x Help ►j±]J!J ^±ij>[J!H ^l-UJ _ J.e J mJZj.£j:d l J T B reakp oin ts: ‫ם‬ _bJm]_hJ ■ g C P U - m a in t h r e a d , m o d u l e t in i all co m m on kinds o f b reakp o in ts: IN T 3 , m e m o ry and h a rd w a re . You m a y sp e c ify n u m b e r o f passes and s e t co n d itio n s fo r p au se Address L og d a ta M es• )OllyDbg v2.00 ( intermediate version - under developmentf 00■ F ile ‫' ׳‬D:CEH-T001snCEHv8 Module 07 Uiruses and WornsUirusesUirus T o ta ltin i. exe New process CID 000011F4) created 00401000 Main thread (ID 00000060) created f1M u ‫ ־‬Unload nodule 00260000 2^ru‫־ ־‬u‫־‬ 7S4C0000 Unload nodule 754C0000 Unload nodule 00260000 Unload nodule 00260000 00400000 Module D:CEH-ToolsCEHv8 Module 07 Uiruses and WornsUirusesUirus T o ta ltin i.e x e 74E80000 Modu I e CsWi ndowsSVSTEM32UIS0CK32.d ll D ifferent PE headers in f i l e and in nenory )?Systen update is pending( ModuIe CsindowsSVSTEM32bcryptPr in i t ives. d11 D ifferent PE headers in f i l e and in nenory )?Systen update is pending( Module CsWindowsSVSTEM32CRVPTBfiSE.dlI D ifferent PE headers in f i l e and in nenory 0200 0600 0200 0600 M o d u l" ^ i l l ddr€ SVSTEM32"S C l' d n D ifferent PE headers in f i l e and in nenory (Systen update is pending?) ModuIe CsWi ndousSVSTEM32KERNEL32. DLL D ifferent PE headers in f i l e and in nenory (Systen update is pending?) 768E0000 Module C:WindowsSVSTEM32RPCRT4.d11 D iffe ren t PE headers in f i l e and in nenory (Systen update is pending?) 76990000 ModuIe C: M i ndowsSYSTEM32NSI. d11 U D ifferent PE headers in f i l e and in nenory 7. !00 ^ : 00 4 Entry point of main module Paused F IG U R E 5.5: Output of Log data information of tinLese 9. Click V ie w from die menu bar, and click E x e c u ta b le 10. Hie output of E x e c u ta b le C E H Lab Manual Page 572 m o d ules m o d ule (A lt+E). is shown 111 die following figure. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 45. M odule 07 - V iru ses and W orm s O lly D b g - tin i.e x e File | View | Debug Trace Options Windows Help B | « |x J ► lilJL M li i l i i l l l ^ ]JJj _ ! J 1 J h | J j c j d b J m] hJ ]=] ‫־‬ CPU - m a in th re a d , m o d u le tin i ca Watches: Watch is an expression evaluated each time die program pauses. You can use registers, constants, address expressions, Boolean and algebraical operations of any complexity 00■ E x e c u ta b le m o d u le s FLle version Base 74E80000 75390000 753F0000 75400000 754C0000 768E0000 76990000 76B60000 76E20000 76E70000 77050000 77D40000 IB S S0CK32 00008000 74E810C0 W 00051000 00009000 0001C000 00130000 000RC000 00008000 00033000 0004F000 00005000 00156000 0010 0B00 75394955 753F1005 7540PC84 754D0005 7690E42S 76991520 76861005 76E210B1 76E7C575 7706302C ,‫״.״‬ bcryptPrim CRYPTBPSE SspiCli KERNEL32 R R4 PC T sech ost W S2_32 nswcrt KERNELBRSE n td l I NI S 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.8 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 7.0.8400.0 6.2.8400.0 6.2.8400.0 ,,,,,, ° x ■ o o ls s C E H ^ S O u t ? r 6 7 U in . m C:WLndowsSVSTEM32WS0CK32.dlI n1 Mil i ndowsSYSTEM32Nbcry pt Pr i n i t C: m C:WindowsSVSTEM32CRVPTBfiSE.dI n1 C: Wi ndousSVSTEM32Ssp i C Ii. d11 m C:U)indousSVSTEM32KERNEL32.DLL ni C:WindousSVSTEM32RPCRT4.dlI m C: Mil indowsSVSTEM32NSI .d ll m C:WindowsSVSTEM32sechost.dll m C:WindowsSVSTEM32WS2_32.dll ni CsindousN SVSTEM 32nsvcrt.dll n1 sy i ndowsSVSTEM32KERNELBASE. d C n1 Wi ndowsSVSTEM32sn t d11. d11 C: ---- 0 0 00 0 0 0 0 0 0 0 000- 0018FFB4 0 0 00 0 0 0 0 0 0 0 00 0 0 00 0 0 0 0 0 0 0 01G 0018FFB8 0 0 00 0 0 0 0 0 0 0 0 E 0 0 00 0 0 0 0 0 0 0 0 0 v 0018FFBC 0 0 00 0 0 0 0 0 0 0 E 0’RF 0 F ra 0C24F950 P-$. FFFFFP80 ? ■ 0018FF9C £ t. flftflftftfiftfl........ Entry point of main module Paused F IG U R E 5.6: Output of executable modules o f tini.exe 11. Click V ie w from the menu bar, and dien click M em o ry 12. The output of M em o ry M ap M ap (A lt+M ). is shown in die following figure. O lly D b g ‫ ־‬tin i.e x e File IViewl Debug b Trace Options |«|xj ► y ji! iiliiliiliil Windows Help _!j_EjM]jrj.cjj bJ m) hj ‫=ן‬ ‫ן‬ 000 CPU - m a in th re a d , m o d u le tin i ^ O lly D b g su p po rts fo ur d iffe re n t d eco d in g m odes: M ASM , Id e a l, HLA and AT&T ₪ Address 00085000 0018C000 0018E000 00190000 001Q0000 001E0000 00290000 00400000 00401000 00402000 00403000 00410000 00550000 74E80000 74E81000 74E84000 74E85000 75390000 75391000 753DC000 753DD000 753F0000 753F1000 753F5000 753F6000 75400000 75401000 75416000 75417000 754C000O 754D 0000 S i 2e 06^(36000 00002000 00002000 00004000 00002000 00004000 00007000 00001000 00001000 00001000 00000000 00075000 00003000 00001000 00003000 00001000 00003000 00001000 0004B000 00001000 00004000 00001000 00004000 00001000 00003000 00001000 00015000 00001000 00005000 00001000. ‫־ ־ .־ - ־ ־ ־‬ ... . Owner Sect ion t t t t .te x t . rdata .data in i in i in i in i W S0CK32 W S0CK32 W S0CK32 W S0CK32 bcryptPr bcryptPr bcryptPr bcryptPr CRVPTBAS CRYPTBAS CRVPTBAS CRVPTBAS SspiCli SspLCli SspiCli SspiCli KERNEL32 KERNEL32 1A 0 0 ■ Type Access I n it ia l acc Mapped as A Pr iv R Sua R Guarded W U = Pr iv RJ Gua R Guarded U W W R W Stack of nain t Pr iv R M ap R R W R W Pr iv R W R W Pr iv R ‫ב־‬ R W Pr iv R W PE header Ing R R E CopyOnW W Code Ing R E R E CopyOnW W Ing R R E CopyOnW W Inports Data Ing R Cop R E CopyOnW W W M ap R R Dev iceHard< W R W Pr iv R Ing R PE header R E CopyOnW W Ing R E R E CopyOnW W Ing R W R E CopyOnW W V Ing R R E CopyOnW W ---PE header Ing R R E CopyOnW W Ing R E R E CopyOnW W / W Ing R R E CopyOnW W Ing R R E CopyOnW W Ing R PE header R E CopyOnW W Ing R E R E CopyOnW W Ing R W R E CopyOnW W R E CopyOnW W Ing R PE header Ing R R E CopyOnW W Ing R E R E CopyOnW W Ing R W R E CopyOnW W Ing R R E CopyOnW W Ing R PE header R E CopyOnW W V Ing R E R E CopyOnW W V‫׳‬ M e m o ry m a p Contains Entry point of main module Paused F IG U R E 5.7: Output o f Memory map of tiui.exe 12. Click V ie w from die menu bar, and dien click T h re a d s (A lt+T). 13. The output of T h re a d s is shown 111 the following figure. C E H Lab Manual Page 573 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 46. M odule 07 - V iru ses and W orm s ‫*י‬ L > ' O lly D b g - tin i.e x e File View Debug Trace Options Windows X Help hreads _____________ _______ T T _____ _____ - g |x Old IIdent !window’ s t i t Le| Last e rror I Entry I TIB I Suspend IP r io r it User t ine ER O SUCCESS (88! t in i ■<M 7E54F808 8 RR o. Main 88888868 w W W W ‫־ ־‬W W W ‫־‬ W W 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 0e v A I 0018FFB4 8C24F950 P-5. 0018FFB8 FFFFFA88 ? ■ 0018FFBC 0818FF9C £ t. flftlftFFf-ft flflflflflflfifl.... Entry point of main module Paused F IG U R E 5.8: Output of threads Lab Analysis Document all die tiles, created viruses, and worms m a separate location. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility Information Collected/Objectives Achieved Result: OllyDbg C E H Lab Manual Page 574 ■ ■ ■ ■ ■ CPU-main thread Log data Executable modules Memory map Threads Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 47. M odule 07 - V iru ses and W orm s Questions 1 Using die hiial report, analyze die processes affected by the virus hies. . Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 575 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 48. M odule 07 - V iru ses and W orm s C r e a tin g a W o rm U s in g In te r n e t W o rm M a k e r T h in g Internet Worn/ Maker Thing i a t t c e t norm'. Ita/so has afeature t s ool o r a e o converta vims i a n o// nto r/. I CON KEY 1. Valuable _ inform ation s Test your kn w d e o le g ‫ :ב‬Web e e x rcise orkbookreview ea W Lab Scenario 11 recent years there has been a large growth in Internet traffic generated by 1 malware, that is, internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected or during the epidemic stage of a new worm, when the Internet becomes unusable due to overloaded routers. Wliat is less well-known is that there is a background level of malware traffic at times of non-epidemic growth and that anyone plugging an unfirewalled machine into the Internet today will see a steady stream of port scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We must better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms will damage or steal the organization’s information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behavior, whether they are detected by an antivirus and if they bypass the firewall. H Too ls d e m o n s tra te d in th is lab a re Lab Objectives The objective of tins lab is to make students learn and understand how to make viruses and worms. a v a ila b le in D:CEHToo lsC E H v 8 M o du le 0 7 V iru se s and W orm s Lab Environment To earn‫ ־‬out die lab, you need: ■ In te rn e t W orm M a k e r Thin g located at D:CEH-T 00 lsC EH v 8 M odule 0 7 V iru se s and W orm sW orm s M a k e rM n te m e t W orm M a k e r T h in g G e n e ra to r.e x e C E H Lab Manual Page 576 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 49. M odule 07 - V iru ses and W orm s ■ A computer running W in d o w s ■ Run this tool on W in d o w s S e rv e r 2 0 1 2 as host machine S e rv e r 2 0 1 2 ■ Administrative privileges to nin tools Lab Duration Time: 10 Minutes Overview of Virus and Worms A virus is a s e lf-r e p lic a tin g p ro g ra m that produces its own code by attaching copies of it onto other e x e c u ta b le c o d e s . Some vinises affect computers as soon as their codes are e x e c u te d ; others lie dormant until a predetermined logical circumstance is met. Lab Tasks TASK 1 1 Launch die In te rn e t W orm M a k e r Thin g tool. Installation is not required . for In te rn e t W orm M a k e r Thing. Double-click and launch die G e n e ra to r.e x e tile. M a k e a W orm 2. The In te rn e t W orm M a k e r Thing INF NTWR MKRT IN V TR F OM AF H G 4 PaybaeeC Activate Payloads On Dote Change Homepage UL R: I - 3 I Doable 'Mrdows Secunty - N o te : T a k e a S n a p s h o t o f th e r‫״‬ OR r r Rardonly A^ivace Payoads r Chance of activating paybads: P 1M | CAC HNE r r (v Induck [C] Ncti:e v irtu a l m a c h in e b e fo re la u n c h in g r H<fc A Drives ll Ouipu* Path: [“ Dsable Ta^ Manager F W o rm M a k e r T h in g to o l. r Dsable Keybord CoixJie To E ESupport X th e In te r n e t r Dsable M oose r~ Message Box Sheading Optoas rde: I- Change IE Title Bar I- Local Regwtry Star xo Text: r MuteSoeakefs r ioamsh itarxo f~ P‫ ׳‬erch SV‫־‬L j jp laiiarstartLO r infect vbs Nes I- Loop Sound r MfenvteNes r Hide Desktop p Disabfc Malware Rrrrove 1— Discbe Winders File Protection V CcrruDT Artwrus r Hide Virus Fibs V Ctiange Dnve Icon CLL, EKE, ICO: Index: Path: (C:WndowcVJ01 |1 AddTo Context Menu I- Start At Smve f~ Ge‫־‬ nan starao Infection Options: r Infect Bat Files r Delete a Fk r V/Wagon 91H Hoot Englsh StS'tap r BueSaeen Of Death Dkabe Syttnn Ractore r Our»g• M0033T«r Doable Morten Security Title: Uninstall Ncrton Snnpt Sbdang Disable M Security acro Dsable Run Commrd V Dsable ShutdaAn (” Dsable Logoff Outocx n n 1 _ f” Disable 'Mndows Updirc UL R; V No Search command I- Swap Mouse Butters r Open Webpage U RL: Siartup: I- Global Pegsfr‫ ׳־‬Sta*tjp r ‫1 =ד‬ ‫םד‬ Internet Worm Maker Thing: Version ■ .0 : Pubi c Edition 40 ‫־יז‬ 6 window appears. r Chooge ClockText Text ^lox 8 Chars): r Dooole Regcdt r Disoolc Explorer.exe r Change Reg Owner p‫״‬ ---- 1---- r open cd onves r DOAnbadhle r Charge •'.alpooer I” H c D a k ll Path Or U L: R Lock Workstation r Keyboard Disco r AddToFo/ontes U RL; I” Change Reg Organisation Conti0 Pand 1 Generate W arm r CPUMonster Crgansaticn: ?| If You Iked Ths Frooran ^tease Voit M On e https/Zxructearr.failcmctAO'k. con If You Know AnythnQ About Y S B Programing Mdp Stupor t This Pfojcct By Matorg AWugr (See Readme). Thinks r chanoerme Execute DowHoadec F IG U R E 6.1: Internet Worm maker thing main window . 3‫ .וך‬Enter a W orm 0 t y ! The option, Auto Startup is always checked by default and start die virus whenever die system 4. boots on. C E H Lab Manual Page 577 N a m e , A uthor. V ersio n . M essage, and O utp u t P ath tor die C re a te d W O f lll. Check die C o m p ile to EXE su p po rt 5. 11startup: select English 1 check box. S tartup . Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 50. M odule 07 - V iru ses and W orm s ‫ °:־ ׳‬r Internet Worm Maker Thing: Version 4.00: Pubic Edition INE NTWR MKRT IN V TR E OM AE H G 4 r Change horrepogc C Activate Payloads Cn Dote |JBW orm r Author: t~ l>wbe System Restye [i so xiy gr r I- Disable Wndows Security OR 0 1M | Oulpu: Path: 0 CAC HNE Hde Al Drives f? Indud? [C] Nobre r DsaWe‫־‬ad< Manager |c W.» : r Dsabk Keybord W Conjle To CXI S<xxxjt l ‫ט‬ A list o f names for the virus after install is shown in the Name after Install drop-down list. Tife: r uninstall Norton 5:nDt sbefcra r Disable Macro Security |” Disable Run Commrrf I” Disable Shutdown ["‫ ־‬Osable logoff I” Outooc rtn 1 * I (” Deable W indow! Update r‫ ״‬No Seorch Commend r swap Mouse Buttons I- Open Webpage U 1 RL Chance of actvawg poybads: | jr s s m e e > y te is f^ c r Osable M ouse r WewajeSox SDreadnc Optons Te K: J VMttekr ueoaes Startup: 1‫־‬ I” Chanoe IE Title Bat (JobalKeosry sta'tjo r DttaH reele Text: r LxdReOstiySteflo Pad‫:־‬ I ---- r wmlixjon Sid M cxx r Start A Set vice s W Englsh Ste'tjpi I- Cc‫׳‬nan Startup I- Spanish Starxp r Perch Sta‫־‬tjp I‫ ־־‬Itaiar Startup r Change W Media PbrerTxt in r DdeteaFofcfci Tt e: x r 01saDleExplorer.exe r cwo..tof lne'aae V O‫־‬anoe Reo Owner I- LockWorkstaton Oner: Dowibad File ^re? | U RL: I ----- Peth Or URL: f inetvcr 5 ” f c b !c l~ rtde Desktop [ Disable Mdwere — Remove ‫ —ן‬Oiseble V/indovss File Protection V Ccrruot Anth/tcs ‫ —ן‬Change Computer Name r ‫ ״‬Chaige Drive Icon |c:Wr>dowsY!OT [I f‫ ~־‬le d To Context Menu JCaoCocet ‫ ־‬hneldTx ‫־‬ r If You Lked TH5 Progr an *lease Veit M On * ht©://xrusteafr. falemetA0‫׳‬k.0 ‫וו‬ > I If YouKnow Anything About /BS Programing Heip SLppor! This Project By Maklro APkKJr (Sec Readme). Thanks r Ha« ill Gates Jj r Control Panei V KevooardDBco I- CPUMonster Ogansatkn: r Hide Virus Fibs C,X, C Ie: U EEIO nx d V~ ACd lora/ornes Change Reg Organisation infect Bat -1es r I 1fe:t Vbs Pies Loop Sound Tx(a8hr) etMx C s: a r OpenCd Drives DisaoteReoedt r r 1 Disable Norton Security “ C Rardonly Activate Payloads r Sue Screen Of Death Infecfon Cptions: F~ Change M0032Texr Gererate W orm None; Change Tine — d-Evai-i ■ fa F IG U R E 6.2: Select die options for creating Worm 6. Select die A c tiv a te Payloads on D a ta a c tiv a tin g payloads, 7. Check die and M essag e M essage, 9. Check die D isable check boxes. C E H Lab Manual Page 578 C h an ce of H id e All Drives. D isable T a s k M an ag er, D isable keyboard. D isable M ouse 8. Enter T ile, list. radio button, and lor enter 5. Box and S e le c t check boxes. Icon as Info rm atio n from die drop-down R egedit, D isable E x p lo re r.e x e and ch an g e Reg o w n e r Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 51. M odule 07 - V iru ses and W orm s Internet Worm Maker Thing : Version 4.00 Public Edition INE NTWR MKRT IN V TR E OM AE H G 4 Payloads: (• Activate Payloads On Date |JBWorn P Charge Homepoge UL R: D O Author: M M Y Y r Blue Screen Of Deatn P DsaWe S>s^rr Resxre l^jgcyooy P Disable Windows Security O R P Dissble Norton Security Rcndornl A tv a P < a s c te a lod P Uninstall rwton script Blocanc Chance o‫ ־‬activating payloads: r Disable Macro Security 1W |i CAC HNE | Disable Rin Commnd P Disable Shutdown p Hkie A Drives l P Disable Logoff r OutJockR* 1 ? I p Dcjdc ~3ck Marager r Disable Windows Ubdate U L: R p Deafck Kcybord I” No Search Command P 5wao Mouse Buttons P Deade Mocse P Open Webpage V Message Box UL R: rrte: 1 C r r |y0 jr system rs ef^ed P Indtde [C] Nodce Ouipj: Path: |C;Worm P CoTuieToEKE Suaxxt Spreadng Opton* Startup: P Uobal Keosrv btaituc Infecton Opbore: r infec: Bat Pies P Owro?NX>32Text [Sded Putexeaters r Charge ie Tide Ba Message: r OieteaMe r Irife v sFles ct b P Loop Sound P I!ifect Ybe Files r HMeDesktcp ‫ -ן‬Dsable M alware R mv e oe =le Protection I- Corrupt Antivirus r Charge Drive Icon D EX ICO: LL, E, Index: r StartAsSavke p Dngksh Sta'tjp P Ge'man Starxp P Spanish Starap I- Perch Sta'tjp P Italian Startup (vSdw5i [I Evnos 0 v I ------------ r Add To Context M enu r CfctrU: a fdcfc‫׳‬ [‫ ־־‬Charge Clock Text r~ »a#1 ‫( ז » ז‬Max 8 Chars): r~ Open Cd Dnvea I------------- P Chance Reo Cwner I” Lock Workstabor r Oner: P Download Rle More? j *atiOrLRL: r *evboard Dsco [Hggyboy UL R: I------------- P Add to Pavontes I- CPJ Vonstar N e: am Oconboton: r w to o S*J h l m gn oo Palh: p Change Reg Crgansaticn 1 Loos R !y S'ua luo ‫־‬ ecfcA r Hide Virus Fifes r- Usable Wndovrs r Chance Tree hour Mn U L: R Text: |your *yttern is H*rked lean: inforrraoon r Change W Medo Playe! Txt in Text: T] Dsable *eged* P DsaWeEtplorer.exe |po«ver G>rr| Chance v/atoace‫־‬ If You Liked Ttiis Proy an ®base A 1t W• On c ht©:/ftarusteam.fa1lemetwo‫׳‬k.0 ‫ומ‬ If You Know Anything About /BS Prog‫־‬amming Help Suopor: This Projects/ Mahno APlucr (See Readme). Thanks. rControl Panel Generate W orn* 1----------I F IG U R E 6.3: Select the option for creating worm 10. Check die C h an g e H o m e p a g e check box. 11 die 1 http: //Ayw.powrgym.com. 11. Check die D isa b le UR L held, enter W in d ow s S ec u rity. D isab le Norton S ec u rity. U n in stall Norton S crip t B locking, D isa b le M icro S ec u rity. D isable Run C om m and. D isab le S h utd o w n . D isab le Logoff. D isab le S ea rc h C o m m an d, S w a p M o use b utton, 12. Check the C h an g e IE T itle bar, ch a n g e w in drive, and L o c k w o rk s ta tio n check boxes. Internet Worm Maker Thing F ‫־‬ Verson. takes the same name as an earlier virus. Indjde [Cl Soxe Output Path: r - r |/our cyctMnKeeler P [E v o i T/ m p Ccm To E E Support pifc X Sj eoctno Cptons Cta‫ ׳‬tuj: P Global RegsO>Surtuo r Local Regist'y Ssrtup p Chnge homepage ‫נ^־‬ p Engiish S3np r G eTTK Sta‫־‬t_o n P Spanen Sta'to r Fe d S iL t n ‫ ־‬ia C r Italian StarLo M e d ia P la y e r T x t, O pen Cd r Change Cate D D C 1 r Loop Sound r- Head* Mawar# V Outock Fvr I ? I U L! R P MuteSpccke's P Ceietea =le i-i^rrarcn r I Remove r Hde Vrui Hec r- D5<Kc W indows Pie P oUs-liwi > r Charge Drive Icon D L E E ICO: L, X, Index: |C.’Wndowsl/'l01 |l r AddTo Context M enu Deteiea=0Ue‫׳‬ (7 Dsaoie RegeCi: l~ Change aodc Text Text 03«‫׳‬x 8 Chars): 1 P openeddrwes p Lodi Worotobon] P Change v.alpaper r HackBll Gates _?J P □oArload Fie Myc‫| ־‬ |juaytx>y P Infcct V Hies b* P Infert Vh* H l#« r Corrupt Artwruc Path: •» r Slue Screen Of Death infectwn opaons: P Infect Bat Pies r Mde Desktop 1 a r sys‫־‬em s Hacked P Change Reg Owner Y Y r Ch»x)eh10032Text T«c: OR P DaabfeNoi ton Security Randorriy Attv tePaVoocb c o P unnstall Norton script ‫ןיז11 1מ‬ ‫)י‬ chance of aai /ating payloads: P DaabfeMauoSearitr in [5 CAC HNE P Doable Run Conrnnd P Dca&lt Shutdown p H je N rvtt KAD Dsaftleiocpff 7 ( p Doable Task Menage‫׳‬ P Daable WrdoAs Update W Disable Kcyoorc P No C-ca d ‫ ׳‬Conmend p Swap M Buttone ouoe p DiWilr Noifie P Cpenv/ebpage p M es&sgeBox U L: R Tlte: |'/wa .po*«rgym a ir v Hacked P Chx»oe IETitle B at vessage: p DsaoieExplorer.exe M M P Disetic Srsterr Restore P Dsa&te W ndOACSeoxity P v/niooon 5bdl hock r Start As Servce No check boxes. Version 4 00 :‫ ־‬Public Edition |‫/׳‬wA i.poivergym.com V Autfw; | Juggyboy change die settings for every new virus creation. O therw ise, by default, it U p d ates . W ebpage INE NTWR MKRT IN V TR E OM AE H G 4 Payloads: (» Actr/ate Pavloads On Date D o n ’t forget to W in d o w s and O pen Path Or lAL: If rou Lked This Prog‫־‬an Pteaa? Wat M an e htlp: //xrusteam.fialtennetv.'ork car If rou KnowAnytirc About V S E Programming Help Support Ths f*ojert ByM alone APtugm (See Readme). Thanks. r KeyboofdDbco r AddTo Favorites UL R: r CPUVonKer 17 Change «eg oro0 nsat»n Organisation: Control Pond-----Generate worm None: P change *me |power Grm P CxemteDowiibaJed C E H Lab Manual Page 579 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 52. M odule 07 - V iru ses and W orm s F IG U R E 6.4: Select the option for creating worm 13. Check die P rint M es sa g e , T e x t check boxes. D isable sy s te m R esto re, 14. Enter a T itle and M e s s a g e 111 15. Enter die URL and C h an g e N O D 32 die respecdve fields. as http: //w~vv.povrgvm.com and die Sender N am e as juggyboy. 16. Check die M u te sp ea ke rs . M o n s te r check boxes. 17. Select die C h an g e r*‫־‬ T im e D e le te a Folder. C h an g e W allp ap er, and CPU check box enter hour and 111111 the respecdve fields. T= Tg! Internet Worm Maker Thing: Version 4.00: Publ c Edition INE NTWR MKRT IN V TR E OM AE H G 4 pa/twes: (• Actuate Payloads Cn Date | B Worm Ajlhar: OR Version: r r Cha‫׳‬ve of actvairg paybads: (yojt systemis eEetf 1 fN [5 C Randonl/ Activate Payloads CAC HNE HdeAl Drives W Indud: [C] Ncbic OulputPath: I? DsaWe T Manager asJc (c:Wom S' DsaWe Keybord (7 Coroie To E ESupport K Saieadmc OpUro j Startup: V Global Rcgotr Sto‫־‬tjp r l»cd Rcgstr/ Starxo r W l&gcn &>d H < m c© 1 Start A Service “ c P Er*gleh SU‫־‬tjp f~ O 'run Startup I- Spmth^tirtip P French Sta'tup I- laiar startLC ^ □sable M ouse Iv NessaoeSo* Tide: |f‫־‬dd c Mcwogc: |rajf system Is HacXed Icon: [1 noton ‫קיו־‬ _*J W OfecOfcRegedt W DoaDfcExploret.exe [v Change Reg Owro‫־‬ Owner: |jJ99>bo/ [v Change Reg Organisation Crgansaticn: F IG U R E 6.5: Select the option for creating worm 18. Check die C h an g e respecdve fields. 19. Check die Loop D a te check box, and enter die DD, MM, Y Y and C h an g e C o m p u ter check boxes. 20. Check the Change die T e x t, K eyb oard Disco, C E H Lab Manual Page 580 die Sound, H id e D esktop , D isable M a lw a re R em o ve. D isable W in d o w s F ile P ro tec tio n , C o m p u ter A ntivirus, Nam e 111 D rive Icon, Add T o C o n te x t M enu, C h an g e C lo ck and Add T o F avo rite s check boxes. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 53. M odule 07 - V iru ses and W orm s Internet Worm Maker Thing : Version ■ .0 : Pub ic Edition 40 T STS1 INE NTWR MKRT IN V TR E OM AE H G 4 W Nam? orm P Change Hom epage p V rr B /o Author: U RL: I'jVvivi .D wero/m cam i 0 |luggyboy p Disable Windows Securty P charts fCD32Tett p Disable Norton Searity p Lhnstall M orton Serpt Blodcrg p Disable Mocro Secunty p □sable Run comand p Dibble Shutdown p Disable Logoff p □sable Windows Update p No Scorch Command P sawd Mouse Buttons p Open V'eboage U RL: Tite: |‫־‬lack2d C Rancorriy Actrvate Paybads Chance ofadvatna payloads: |ycu‫ ־‬system be‫־‬fcd 1W [i p Indude [C NoSce ] p HceAIIDrves o*MCE Output Pafc p Cisaote Task Marager |c Wc : om p CtsacJe Ke/bcrd P come* T tx t suxxrt O p D«aoleMcu3 « p Message 60x Sprcsdrg Opbonc n# d Star xu V Clobd Regatiy Startup r Locol Repsfry Starto r Wnbgon Slid Itnl, |‫׳‬jW w.oowergym .com Esdcad r Hide V SRles irL Di3able Wrdows File Protecton U L: R ^ > v v .o w ‫י‬ tfc :/> » » 0 erg/n Sende* Nan‫:♦־‬ p Corrupt Antivirus q Charge Comouter Nane |cw5™iw [i p Chang# Clock T#vt Tort (Max 8 Chare): I p Change Reg OAner d e m o n s tra te d in p O w ge Walpoper I- H01kDllG±es r Patn Or LRL: U RL: Download File More’ ? Control Panel p ^dc To Favorites•: p Change Reg Organisation Generate Worm N re a: p CPJ Monts' Crgarisabon: th is lab a re If You Liked This Progrorr Plecae Veit M• Or hrtp://wriJStMn .falHw>ehvortc can If You Know Anythrg Abojt VES Prcg-amming Help Suppo'tlhs Project By Mating A Pugn (See Readme). Thants. W Keyboard Disco |^gg‫־‬ /boy [~ Italian Startuo P Lock Workstation Crre v r‫:־‬ 1 French starnc “ Index; P Add To Context Menu Path P Opened Drives I- Custom Code p Charg# Drive [eon CXI, DC, ICO: P Defe* a KUer T] p Disable E>pcrer.exe 1 SDaTSh staruo “ !7 Hide Desktop Disable Malware [“ DudockFm 1 ’ I P D rk x e rfc p Disable Regedit f” German StartLX ) y v j syslai is Hecxec V in'ect vbsPile? f InfectVbeFiles ~ 1 ----------- [kVonnabcn p Crgkh startup !7 Lcoo Sojnc Message: p Mjtc Speaker: Text: | 1 a r svstern shacked Infecton Options: r Inflect Bat Files Path: P Change [ETitle Bar Mcosagc: Irenr I- Stait AiScivtc & T o o ls I- Blue Screen Of Dead• 17 D6afc*e s*sten Rsscxe p Giance Trie Hmt V Sr a v a ila b le in IS ‫־5]־‬ - Execute Downloaded D:CEH- 66 Too lsC E H v 8 M o du le 0 7 V iru se s and W orm s F IG U R E . : Select the option for creating worn 21. Check the E xp lo it W in d o w s D e ath check boxes. 22. Check the In fe c t and A dm in L o c ko u t Bug B a t F iles check box from In fe c tio n 23. Check the H id e V iru s Files check box from Extras. 24. Click G e n e ra te Blue S cree n of W orm 111 C ontrol Panel. nr O ptions. Internet Worm Maker Thing: Version 4 .0 0 Pub ic Edition INE NTWR MKRT IN V TR E OM AE H G 4 Fayoads: W fsam?: orm ?P Change HonepaD < Actva‫־‬e PaVoads On Date ♦ |JBWorr Expiat Windows A in Lockout Bjg dm URL: Au*or: |‫׳‬jV1 .oowergym.com ww fxoovboy P Dsable Windows Security p Char geNCC32 Text p Disable Norton Security p Blue Screen Of Death Titc: C RanCcrriy Activate Paybads r r Choice of octrrotng payloocb. |y u c ^ r1R e d o • y to 1 e fe :w[i OC WE p Indudc (C No*ce ] P hide Al Drves CutputPatk |C:Wanr P cisaote task Maraoer P LisaoteKe/bcrd p Corrplc To E ESupport X P Lisaote recuse P MessaceBox *ore^rtnp rmnw | Star&p: r Global RegKtry Startup r Local Regictrv i tart jo r Wnogon Shel H ook [~ Start As Serves P uinstall M orton saot Blodcra packed p Disable Macro Securty p Disable Run Comuid P Dsable 91utdown p Dioablc Logoff p Disable Windows Update p No Search Command p SA M <ap ouse Duttons P open weboaoe URL1 1«e: P Chanoe IE Title Bar Msa e es g |yolt system e Hacked Spansh Startjo r French Startup f~ Italian Sartuo r In c V sF s fe t b ileI” In c vb F s fe t e ile p Loop Sound p H Desktop kJ« |1 ‫׳‬owe^sten«Hacccc 1 r □rto k L c rm * I URL: ^tto:/>vn‫״‬j<n«rg/rv1 iertier ftanre: P MjreSpMters p Dete^aFfe rext: Extras: p Disable Malware Renove r j Disable Wrdows Fit Protection p Corrupt Antivirus rr Charge Compute‫׳‬ |C:VUrd(MM^Di ^ Text (M 8 Chars): ax P DisadeE>daer.e>e P Chanoe Reg OAnei p Lock Workstation I p OpenCdDnves |jtggyboy P Pbans fl p Chenge CbckText p Disade Regedit Cvrrer: P Jllde V ji p Charge Drive [con C EX , ICO: LL, E Index: p Add To Context Mcnj jlnfermaticn p Ergish StartLp ~ German Startjo Infecton Options: P Infect Bot Files |hxa‫׳‬t>ov |‫׳‬jWw .powergym.com [ttacxec p Disable Srsten Restore C a g R gcrg n tio h n e e a sa n f " Hackan Gates P Kevtxiard Disco P Add To Favorites p CPJNoast‫׳‬ LRL: v Ciance v/aloaoer Path cr URL: I------------- Download Rle More7 [f You Liked This Program Please V M On isit 2 nttp :/parjstean .falfcnncbvork a t If You Know Anyding Abojt V ES 3‫׳‬cxramminc Help suoco't Ths Project By Mating APugh (See Readme). Thanks. hare: ? 1 Control Panel Generotc Worm p QwngeTne Hour Mr craartsaoon: P Execute Do«vnbaded ( T :i‫־‬ E‫ ־‬r F IG U R E 6.7: Select die option for creating worn! C E H Lab Manual Page 581 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  • 54. M odule 07 - V iru ses and W orm s 25. Tlie worm is successfully created. Tlie following window appears. Click OK. X Information! ^ )1 Y o u r n e w w o r m .v b s has Deen m a d e ! OK 26. Tlie created w o rm .vb s file is located at die C: drive. Lab Analysis Document all die files, created viruses, and worms 111 a separate location. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Tool/Utility Information Collected/Objectives Achieved To make Worms options are used: Internet Worm Maker Thing C E H Lab Manual Page 582 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Hide all drives Disable Task Manager Disable keyborad Disable mouse Message box Disable Regedit Disable Explorer.exe Change Reg Owner Change HomePage Disable Windows security Disable Nortorn security Disable Run command Disable shutdown Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  • 55. M odule 07 - V iru ses and W orm s Questions 1 Examine whether the created worms are detected or blocked by any . antivirus or antispyware programs. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 583 0 iLabs Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.